CVE-2021-25025 – Event Calendar < 1.1.51 - Subscriber+ Event Creation
https://notcve.org/view.php?id=CVE-2021-25025
The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events El plugin EventCalendar de WordPress versiones anteriores a 1.1.51, no presenta una autorización adecuada y comprobaciones CSRF en las acciones add_calendar_event AJAX, permitiendo a los usuarios con un rol tan bajo como el de suscriptor crear eventos • https://wpscan.com/vulnerability/24fb4eb4-9fe1-4433-8844-8904eaf13c0e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVE-2021-25024 – Event Calendar < 1.1.51 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25024
The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues El plugin EventCalendar de WordPress versiones anteriores a 1.1.51, no escapa a algunas entradas del usuario antes de devolverlas en atributos, conllevando a problemas de tipo Cross-SIte Scripting Reflejado • https://wpscan.com/vulnerability/08864b76-d898-4dfe-970d-d7cc1b1115a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •