WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Larsens Calender <= 1.2 - Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or encode the Title of the calendar entries when outputting them in the admin dashboard, leading to Stored XSS issue. Due to the lack of CSRF check, this can be exploited by a CSRF attack, making logged in administrators create malicious entries

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

larsens-calender
No known fix - plugin closed

References

CVE
CVE-2020-23762
URL
http://hidden-one.co.in/2021/04/09/cve-2020-23762-stored-xss-vulnerability-in-the-larsens-calender-plugin-version/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

TH3 HIDD3N 0N3

Verified

Yes

WPVDB ID
e8b176d1-6a19-4b34-9cae-a928e013f0cd

Timeline

Publicly Published

2021-04-09 (about 1 years ago)

Added

2021-04-10 (about 1 years ago)

Last Updated

2021-04-12 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin