WordPress Plugin Vulnerabilities

MF Gig Calendar < 1.2.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the event_title and event_time parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
mf-gig-calendar
Fixed in 1.2.1

References

CVE
CVE-2023-37970

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
a9ace3e6-4b01-4dd7-a59c-b5445a66b73c

Timeline

Publicly Published
2023-07-12 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2024-06-18
Title
OSM Map Widget for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Published
2024-05-29
Title
WP To Do <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Published
2025-01-07
Title
Custom DataBase Tables <= 2.1.34 - Reflected Cross-Site Scripting
Published
2025-09-22
Title
Designil PDPA Thailand <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-24
Title
Flexmls® IDX Plugin < 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters