Amr Ical Events Lists <= 6.6 – Admin+ Stored XSS | CVE 2023-1021 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Login as Admin.
2. Go to wp-admin/admin.php?page=manage_amr_ical
3. Add the payload `"><script>alert(1)</script>` in any of the input fields under `General Options `
4. Hit Update and XSS will be triggered.

Affects Plugins

amr-ical-events-list

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar

Submitter

Shreya Pohekar

Submitter website

https://shreyapohekar.com

Submitter twitter

Verified

Yes

WPVDB ID

91d04f96-11b2-46dc-860c-dc6c26360bf3

Timeline

Publicly Published

2023-04-04 (about 1 years ago)

Added

2023-04-04 (about 1 years ago)

Last Updated

2023-04-04 (about 1 years ago)

Other

Published

Title

Published

2023-01-17

Title

WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode

Published

2015-04-20

Title

WP eCommerce <= 3.9.2 - Reflected Cross-Site Scripting (XSS)

Published

2014-08-01

Title

DZS Video Gallery - preview_skin_rouge.swf logoLink Parameter Reflected XSS

Published

2022-01-26

Title

Embed Swagger <= 1.0.0 - Reflected Cross-Site Scripting

Published

2016-11-28

Title

WP Whois Domain <= 1.0.0 - Unauthenticated Cross-Site Scripting (XSS)