CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6522 – Modern Events Calendar <= 7.12.1 - Authenticated (Subscriber+) Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-6522
06 Aug 2024 — The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://mec.webnus.net/change-log • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5441 – Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-5441
08 Jul 2024 — The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, w... • https://webnus.net/modern-events-calendar • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4021 – Modern Events Calendar lite < 7.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4021
28 Sep 2023 — The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfilt... • https://webnus.net/modern-events-calendar/change-log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1400 – Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-1400
14 Mar 2023 — The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, and including, 6.10.5 due to insufficient input sanitizati... • https://wpscan.com/vulnerability/c7feceef-28f1-4cac-b124-4b95e3f17b07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30533 – Modern Events Calendar Lite <= 6.2.9 - Authenticated (Contributor+) Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-30533
01 Jun 2022 — Cross-site scripting vulnerability in Modern Events Calendar Lite versions prior to 6.3.0 allows remote an authenticated attacker to inject an arbitrary script via unspecified vectors. Una vulnerabilidad de tipo cross-site scripting en Modern Events Calendar Lite versiones anteriores a 6.3.0, permite a un atacante remoto autenticado inyectar un script arbitrario por medio de vectores no especificados The Modern Events Calendar Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unk... • https://jvn.jp/en/jp/JVN04155116/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27848 – WordPress Modern Events Calendar Lite plugin <= 6.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-27848
14 Apr 2022 — Authenticated (admin+ user) Stored Cross-Site Scripting (XSS) in Modern Events Calendar Lite (WordPress plugin) <= 6.5.1 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado y Autenticado (admin+ usuario) en Modern Events Calendar Lite (plugin de WordPress) versiones anteriores a 6.5.1 incluyéndola The Modern Events Calendar Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.5.1 due to insufficient input sanitization and output escaping. Th... • https://patchstack.com/database/vulnerability/modern-events-calendar-lite/wordpress-modern-events-calendar-lite-plugin-6-5-1-authenticated-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0364 – Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-0364
28 Feb 2022 — The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.4.0, no sanea ni escapa de algunos de los parámetros Hourly Schedule, lo que podría permitir a usuarios con un rol tan bajo como el de contribuyente llevar a cabo ataques de tipo Cross-Site Scripting a... • https://wpscan.com/vulnerability/0eb40cd5-838e-4b53-994d-22cf7c8a6c50 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25046 – Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
https://notcve.org/view.php?id=CVE-2021-25046
03 Dec 2021 — The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.2.0, permitía que cualquier usuario conectado, incluso un usuario suscriptor, pudiera añadir una categoría cuyos parámetros escapaban incorrectamente en el panel de administración, conllevando a un ataque de tipo XSS alm... • https://wpscan.com/vulnerability/19c2f456-a41e-4755-912d-13683719bae6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24925 – Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24925
15 Nov 2021 — The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.1.5, no sanea ni escapa del parámetro current_month_divider de su llamada AJAX mec_list_load_more (disponible para usuar... • https://wpscan.com/vulnerability/82233588-6033-462d-b886-a8ef5ee9adb0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 6CVE-2021-24946 – Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2021-24946
15 Nov 2021 — The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.1.5, no sanea ni escapa del parámetro time antes de usarlo en una sentencia SQL en la acción mec_load_single_page AJAX, disponible para usuarios no autenticados, co... • https://packetstorm.news/files/id/181074 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •