WordPress Plugin Vulnerabilities

Modern Events Calendar Lite < 6.5.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

Affects Plugins

Plugin icon
modern-events-calendar-lite
Fixed in 6.5.2

References

CVE
CVE-2022-27848

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
ef2843d0-f84d-4093-a08b-342ed0848914

Timeline

Publicly Published
2022-04-14 (about 3 years ago)
Added
2022-04-15 (about 3 years ago)
Last Updated
2022-04-18 (about 3 years ago)

Other

Published
Title
Published
2020-08-31
Title
Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting
Published
2023-12-06
Title
Shortcodes and extra features for Phlox theme < 2.15.5 - Contributor+ Stored XSS
Published
2014-08-01
Title
FuneralPress 1.1.6 - Stored XSS
Published
2016-01-27
Title
IMPress Listings <= 2.0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2023-11-09
Title
Advanced iFrame < 2023.9 - Contributor+ Stored XSS