WordPress Plugin Vulnerabilities

My Calendar <= 3.1.9 - Unauthenticated Cross-Site Scripting (XSS)

Description

Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site.

Proof of Concept

Affects Plugins

Plugin icon
my-calendar
Fixed in 3.1.10

References

CVE
CVE-2019-15713
URL
https://plugins.trac.wordpress.org/changeset/2078031/my-calendar

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Andreas Hell
Submitter
Joe Dolson
Submitter website
https://www.joedolson.com
Submitter twitter
joedolson
Verified
No
WPVDB ID
dbf334ce-c8f5-4380-b8ec-49703b386c8f

Timeline

Publicly Published
2019-04-30 (about 7 years ago)
Added
2019-05-03 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-01-16
Title
Ui Slider Filter By Price <= 1.1 - Reflected Cross-Site Scripting
Published
2024-09-25
Title
ElementsReady Addons for Elementor < 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-16
Title
Arconix Shortcodes < 2.1.17 - Reflected Cross-Site Scripting
Published
2024-04-22
Title
Colibri Page Builder < 1.0.264 - Author+ Stored Cross-Site Scripting
Published
2022-01-13
Title
PublishPress Capabilities < 2.3.3 - Reflected Cross-Site Scripting