WordPress Plugin Vulnerabilities

Community Events < 1.4.9 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
community-events
Fixed in 1.4.9

References

CVE
CVE-2022-44742

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
sk4rl1ghT
Verified
No
WPVDB ID
cb94330c-8398-41d4-9267-4ca14b4c5083

Timeline

Publicly Published
2022-11-25 (about 3 years ago)
Added
2023-03-23 (about 3 years ago)
Last Updated
2023-03-23 (about 3 years ago)

Other

Published
Title
Published
2023-02-13
Title
Fancy Comments WordPress < 1.2.11 - Contributor+ Stored XSS
Published
2024-02-02
Title
Scroll Triggered Box <= 2.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2024-01-17
Title
Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field
Published
2022-05-30
Title
Google XML Sitemaps < 4.1.3 - Admin+ Stored Cross-Site Scripting
Published
2019-05-30
Title
WP Statistics < 12.6.6.1 - Authenticated Stored XSS