CVE-2023-4021

2023-10-2008:15:12

CWE-79

[email protected]

web.nvd.nist.gov

modern events calendar

wordpress

vulnerability

stored xss

cross-site scripting

google api

calendar id

input sanitization

output escaping

multi-site installations

nvd

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.9%

JSON

The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affected configurations

Vulners

NVD

Node

webnus\/modern_events_calendar_liteRange<7.1.0

CPENameOperatorVersion
webnus:modern_events_calendar_litewebnus modern events calendar litelt7.1.0

CPE	Name	Operator	Version
webnus:modern_events_calendar_lite	webnus modern events calendar lite	lt	7.1.0

CNA Affected

[
  {
    "vendor": "webnus/",
    "product": "Modern Events Calendar Lite",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThan": "7.1.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]