CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24716 – Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-24716
29 Sep 2021 — The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.3, no sanea o escapa adecuadamente de los valores establecidos por los usuarios con acceso para ajustar la configuración con wp-admin • https://wpscan.com/vulnerability/576cc93d-1499-452b-97dd-80f69002e2a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24687 – Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24687
06 Sep 2021 — The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.2, no escapa a algunas de sus configuraciones antes de mostrarlas en atributos, que permite a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scr... • https://wpscan.com/vulnerability/300ba418-63ed-4c03-9031-263742ed522e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24149 – Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24149
29 Jan 2021 — Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. Una entrada no comprobada en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.6, no saneaba el parámetro mec[post_id] POST en la acción mec_fes_form AJAX cuando se iniciaba sesión como autor+, conllevando a un problema de inye... • https://wpscan.com/vulnerability/26819680-22a8-4348-b63d-dc52c0d50ed0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 8%CPEs: 1EXPL: 4CVE-2021-24146 – Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
https://notcve.org/view.php?id=CVE-2021-24146
29 Jan 2021 — Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. Una falta de comprobaciones de autorización en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no restringió apropiadamente el acceso a los archivos de exportación, permitiendo a usuarios no autenticados exportar todos los da... • https://packetstorm.news/files/id/163345 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24147 – Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24147
29 Jan 2021 — Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Una entrada no comprobada y una falta de codificación de salida en el plugin de WordPress Modern Events Calendar Lite, versiones anter... • https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 96%CPEs: 1EXPL: 7CVE-2021-24145 – Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
https://notcve.org/view.php?id=CVE-2021-24145
29 Jan 2021 — Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. Una carga arbitraria de archivos en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no comprobaba apropiadamente el archivo importado, permitiendo que los PHP sean cargados por el administrador al usar el tipo de contenido "text/csv"... • https://packetstorm.news/files/id/163346 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-9459 – Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update
https://notcve.org/view.php?id=CVE-2020-9459
27 Feb 2020 — Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings. Múltiples vulnerabilidades de tipo Cross-site scripting (XSS) Almacenado en el plugin Webnus Modern Events Calendar Lite versiones hasta 5.1.6 para WordPress, permite a usuarios autentificados re... • https://wpvulndb.com/vulnerabilities/10100 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •