Cross-site Scripting (XSS) Vulnerability WP Events Calendar

ID HTB23037
Type htbridge
Reporter High-Tech Bridge
Modified 2011-08-10T00:00:00


High-Tech Bridge SA Security Research Lab has discovered vulnerability in WP Events Calendar, which can be exploited to perform cross-site scripting attacks.

1) Cross-site scripting (XSS) vulnerability in WP Events Calendar
Input passed via the "EC_id" GET parameter to /wp-admin/admin.php (when "page" is set to "events-calendar" and "EC_action" is set to "edit") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
http://[host]/wp-admin/admin.php?page=events-calendar&EC_action=edit&EC_id=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
See also SA45717