WordPress Plugin Vulnerabilities

Modern Events Calendar Lite < 5.1.7 - Multiple Subscriber+ Stored XSS

Description

Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads.

Affects Plugins

Plugin icon
modern-events-calendar-lite
Fixed in 5.1.7

References

CVE
CVE-2020-9459
URL
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)
Verified
No
WPVDB ID
d3f4d6f1-fea9-4712-8573-86a0a624f9f5

Timeline

Publicly Published
2020-02-27 (about 6 years ago)
Added
2020-02-28 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2021-09-15
Title
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
Published
2024-05-17
Title
Contact Form Plugin by Fluent Forms < 5.1.17 - Contributor+ Stored XSS
Published
2025-01-31
Title
WP Sessions Time Monitoring Full Automatic < 1.1.2 - Reflected Cross-Site Scripting
Published
2023-04-12
Title
ChatBot < 4.4.9 - Unauthenticated Stored XSS
Published
2024-01-03
Title
Complianz | GDPR/CCPA Cookie Consent < 6.5.6 - Admin+ Stored XSS