Lucene search
Cyc707WPEX-ID:91DBA45B-9930-4BFB-A7BF-903C46864E9FHistoryMar 07, 2024 - 12:00 a.m.
My Calendar < 3.4.24 - Authenticated Stored XSS
2024-03-0700:00:00
cyc707
44
vulnerability
my calendar
authenticated
stored xss
excerpt field
registration information
admin account
front end
exploit
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
1. Use any type of role (as long as you permit it the action to Add Events).
2. Add a new event, and insert the following in the Excerpt field and in the Registration Information field: <script>alert(111)</script>
3. Edit the event using an Admin account, or browse it on the front end and the alert will trigger.Related
nvd
nvd
CVE-2024-1274
2024-04-02 06:15:12
wpvulndb
wpvulndb
My Calendar < 3.4.24 - Authenticated Stored XSS
2024-03-07 00:00:00
cvelist
cvelist
CVE-2024-1274 My Calendar < 3.4.24 - Authenticated Stored XSS
2024-04-02 05:15:41
cve
cve
CVE-2024-1274
2024-04-02 06:15:12
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Related for WPEX-ID:91DBA45B-9930-4BFB-A7BF-903C46864E9F