CVE-2024-7982 – Registrations for The Events Calendar < 2.12.4 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2024-7982
The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks. • https://wpscan.com/vulnerability/d79e1e9c-980d-4974-bfbd-d87d6e28d9a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-1295 – The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
https://notcve.org/view.php?id=CVE-2024-1295
The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.) El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deberían tener acceso. (por ejemplo, eventos protegidos con contraseña, borradores, etc.) Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access of data due to a insufficient capability checks and restrictions on a function in various versions. • https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db • CWE-862: Missing Authorization •
CVE-2024-4180 – The Events Calendar < 6.4.0.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-4180
The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX. El complemento Events Calendar de WordPres anterior a 6.4.0.1 no sanitiza adecuadamente el contenido enviado por el usuario al representar algunas vistas a través de AJAX. The The Events Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view_data' parameter in all versions up to, and including, 6.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •