My Calendar < 3.4.24 – Authenticated Stored XSS | CVE 2024-1274 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)

Proof of Concept

1. Use any type of role (as long as you permit it the action to Add Events).
2. Add a new event, and insert the following in the Excerpt field and in the Registration Information field: <script>alert(111)</script>
3. Edit the event using an Admin account, or browse it on the front end and the alert will trigger.

Affects Plugins

Fixed in 3.4.24

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

cyc707

Verified

Yes

WPVDB ID

91dba45b-9930-4bfb-a7bf-903c46864e9f

Timeline

Publicly Published

2024-03-07 (about 2 months ago)

Added

2024-03-07 (about 2 months ago)

Last Updated

2024-03-07 (about 2 months ago)

Other

Published

Title

Published

2021-09-09

Title

Dropdown and scrollable Text < 2.1 - Reflected Cross-Site Scripting

Published

2021-03-17

Title

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

Published

2024-04-16

Title

Restaurant Menu – Food Ordering System – Table Reservation < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

WP Lead Management 3.0.0 - Script Insertion Vulnerabilities

Published

2020-01-13

Title

Computer Repair Shop < 2.0 - Authenticated Stored XSS