WordPress Plugin Vulnerabilities

Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting

Description

The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.

Proof of Concept

Affects Plugins

Plugin icon
modern-events-calendar-lite
Fixed in 5.22.3

References

CVE
CVE-2021-24716

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Shivam Rai
Submitter
Shivam Rai
Submitter twitter
shivam24rai
Verified
Yes
WPVDB ID
576cc93d-1499-452b-97dd-80f69002e2a0

Timeline

Publicly Published
2021-09-29 (about 4 years ago)
Added
2021-09-29 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
Network-Favorites <= 1.1 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Easy Bet <= 1.0.7 - Reflected Cross-Site Scripting
Published
2018-01-12
Title
Read and Understood <= 2.1 - Authenticated Stored XSS & CSRF
Published
2025-11-26
Title
Houzez < 4.1.7 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Published
2024-07-10
Title
Magical Addons For Elementor < 1.1.42 - Contributor+ Stored XSS