CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27848 – WordPress Modern Events Calendar Lite plugin <= 6.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-27848
Authenticated (admin+ user) Stored Cross-Site Scripting (XSS) in Modern Events Calendar Lite (WordPress plugin) <= 6.5.1 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado y Autenticado (admin+ usuario) en Modern Events Calendar Lite (plugin de WordPress) versiones anteriores a 6.5.1 incluyéndola The Modern Events Calendar Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/modern-events-calendar-lite/wordpress-modern-events-calendar-lite-plugin-6-5-1-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/modern-events-calendar-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0364 – Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-0364
The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.4.0, no sanea ni escapa de algunos de los parámetros Hourly Schedule, lo que podría permitir a usuarios con un rol tan bajo como el de contribuyente llevar a cabo ataques de tipo Cross-Site Scripting almacenados • https://wpscan.com/vulnerability/0eb40cd5-838e-4b53-994d-22cf7c8a6c50 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25046 – Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
https://notcve.org/view.php?id=CVE-2021-25046
The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.2.0, permitía que cualquier usuario conectado, incluso un usuario suscriptor, pudiera añadir una categoría cuyos parámetros escapaban incorrectamente en el panel de administración, conllevando a un ataque de tipo XSS almacenado • https://wpscan.com/vulnerability/19c2f456-a41e-4755-912d-13683719bae6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24925 – Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24925
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.1.5, no sanea ni escapa del parámetro current_month_divider de su llamada AJAX mec_list_load_more (disponible para usuarios autenticados y no autenticados) antes de devolverlo a la respuesta, conllevando a un problema de Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/82233588-6033-462d-b886-a8ef5ee9adb0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 22%CPEs: 1EXPL: 4CVE-2021-24946 – Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2021-24946
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 6.1.5, no sanea ni escapa del parámetro time antes de usarlo en una sentencia SQL en la acción mec_load_single_page AJAX, disponible para usuarios no autenticados, conllevando un problema de inyección SQL no autenticada Modern Events Calendar plugin contains an unauthenticated timebased SQL injection in versions before 6.1.5. The time parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/50687 http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946 https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •