CVE-2022-0212 – SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2022-0212

The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue. El plugin SpiderCalendar para WordPress versiones hasta 1.5.65, no sanea y escapa del parámetro callback antes de devolverlo a la página por medio de la acción AJAX de la ventana (disponible tanto para usuarios no autenticados como autenticados), conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/15be2d2b-baa3-4845-82cf-3c351c695b47 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •