Page 2 of 12 results (0.007 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX. El complemento Events Calendar de WordPres anterior a 6.4.0.1 no sanitiza adecuadamente el contenido enviado por el usuario al representar algunas vistas a través de AJAX. The The Events Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view_data' parameter in all versions up to, and including, 6.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar.This issue affects The Events Calendar: from n/a through 6.3.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en The Events Calendar. Este problema afecta a The Events Calendar: desde n/a hasta 6.3.0. The The Events Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.0. This is due to missing or incorrect nonce validation on the maybe_dismiss() function. • https://patchstack.com/database/vulnerability/the-events-calendar/wordpress-the-events-calendar-plugin-6-3-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts. El complemento The Events Calendar para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 6.2.8.2 incluida, a través de la función de ruta conectada a wp_ajax_nopriv_tribe_dropdown. Esto hace posible que atacantes no autenticados extraigan datos potencialmente confidenciales, incluidos títulos de publicaciones e ID de publicaciones pendientes, privadas y borradores. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3010104%40the-events-calendar%2Ftags%2F6.2.9&old=3010096%40the-events-calendar%2Ftags%2F6.2.9 https://www.wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61?source=cve • CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request El complemento Events Calendar de WordPress anterior a 6.2.8.1 revela el contenido de publicaciones protegidas con contraseña a usuarios no autenticados a través de una solicitud manipulada The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.2.8 via the get_data function. This makes it possible for unauthenticated attackers to extract sensitive data including private post content, via the REST API. • https://wpscan.com/vulnerability/229273e6-e849-447f-a95a-0730969ecdae • CWE-202: Exposure of Sensitive Information Through Data Queries •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_ical_output_for_an_event() function in versions up to, and including, 6.1.2.2. This makes it possible for unauthenticated attackers to view arbitrary/private event content. • CWE-862: Missing Authorization •