WordPress Plugin Vulnerabilities

MF Gig Calendar < 1.2 - Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
mf-gig-calendar
Fixed in 1.2

References

CVE
CVE-2021-24510

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
iohex
Submitter
iohex
Submitter twitter
iohehe
Verified
Yes
WPVDB ID
715721b0-13a1-413a-864d-2380f38ecd39

Timeline

Publicly Published
2021-08-17 (about 4 years ago)
Added
2021-08-17 (about 4 years ago)
Last Updated
2023-04-20 (about 2 years ago)

Other

Published
Title
Published
2024-10-14
Title
Da Reactions < 5.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-22
Title
LearnPress Export Import <= 4.0.9 - Reflected Cross-Site Scripting
Published
2025-09-05
Title
Aparat Video Shortcode <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-19
Title
YARPP - Yet Another Related Posts Plugin < 5.30.3 - Contributor+ Stored XSS
Published
2024-12-03
Title
Posti Shipping < 3.10.4 - Reflected Cross-Site Scripting