My Calendar < 3.4.24 – Authenticated Stored XSS | CVE 2024-1274 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)

Proof of Concept

1. Use any type of role (as long as you permit it the action to Add Events).
2. Add a new event, and insert the following in the Excerpt field and in the Registration Information field: <script>alert(111)</script>
3. Edit the event using an Admin account, or browse it on the front end and the alert will trigger.

Affects Plugins

Fixed in 3.4.24

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

cyc707

Verified

Yes

WPVDB ID

91dba45b-9930-4bfb-a7bf-903c46864e9f

Timeline

Publicly Published

2024-03-07 (about 1 year ago)

Added

2024-03-07 (about 1 year ago)

Last Updated

2024-03-07 (about 1 year ago)

Other

Published

Title

Published

2025-11-03

Title

MeetingList <= 0.11 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2019-01-14

Title

easy-redirect-manager 2.18.18 - Cross-Site Scripting (XSS)

Published

2025-02-14

Title

Alphabetic Pagination < 3.2.2 - Reflected Cross-Site Scripting

Published

2022-09-02

Title

Meet My Team <= 2.1 - Contributor+ Stored Cross-Site Scripting

Published

2025-04-10

Title

Cart66 Cloud <= 2.3.7 - Reflected Cross-Site Scripting