Larsens Calender <= 1.2 – Stored Cross-Site Scripting (XSS) | CVE 2020-23762

Description

The plugin does not sanitise or encode the Title of the calendar entries when outputting them in the admin dashboard, leading to Stored XSS issue. Due to the lack of CSRF check, this can be exploited by a CSRF attack, making logged in administrators create malicious entries

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

larsens-calender

No known fix

References

CVE

CVE-2020-23762

URL

http://hidden-one.co.in/2021/04/09/cve-2020-23762-stored-xss-vulnerability-in-the-larsens-calender-plugin-version/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

TH3 HIDD3N 0N3

Verified

Yes

WPVDB ID

e8b176d1-6a19-4b34-9cae-a928e013f0cd

Timeline

Publicly Published

2021-04-09 (about 4 years ago)

Added

2021-04-10 (about 4 years ago)

Last Updated

2021-04-12 (about 4 years ago)

Other

Published

Title

Published

2025-08-04

Title

Employee Directory < 4.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter

Published

2024-06-04

Title

Newsletter < 8.3.5 - Unauthenticated Stored Cross-Site Scripting via np1

Published

2022-10-19

Title

Mantenimiento Web < 0.14 - Admin+ Stored XSS

Published

2025-08-04

Title

Download Counter < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter

Published

2015-08-13

Title

Ad Inserter <= 1.5.5 - Authenticated Cross-Site Scripting (XSS)