Page 3 of 17 results (0.010 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.3, no sanea o escapa adecuadamente de los valores establecidos por los usuarios con acceso para ajustar la configuración con wp-admin • https://wpscan.com/vulnerability/576cc93d-1499-452b-97dd-80f69002e2a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.2, no escapa a algunas de sus configuraciones antes de mostrarlas en atributos, que permite a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/300ba418-63ed-4c03-9031-263742ed522e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Una entrada no comprobada y una falta de codificación de salida en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no sanean el campo mic_comment (Notas a tiempo) cuando agrega y edita un evento, permitiendo a usuarios con privilegios tan bajos como el autor para agregar eventos con una carga útil de tipo Cross-Site Scripting en ellos, que será activada en el frontend cuando se visualiza el evento • https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 96%CPEs: 1EXPL: 5

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. Una carga arbitraria de archivos en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no comprobaba apropiadamente el archivo importado, permitiendo que los PHP sean cargados por el administrador al usar el tipo de contenido "text/csv" en la petición WordPress Modern Events Calendar plugin version 5.16.2 suffers from a remote shell upload vulnerability. • https://www.exploit-db.com/exploits/50082 https://github.com/dnr6419/CVE-2021-24145 http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610 - • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 3

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. Una falta de comprobaciones de autorización en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no restringió apropiadamente el acceso a los archivos de exportación, permitiendo a usuarios no autenticados exportar todos los datos de eventos en formato CSV o XML, por ejemplo WordPress Modern Events Calendar plugin version 5.16.2 suffers from an issue where unauthenticated parties can export all event data. • https://www.exploit-db.com/exploits/50084 http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc • CWE-284: Improper Access Control CWE-862: Missing Authorization •