3 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de Eliminación de Eventos no Autenticada en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress lacks authorization and capability checks on several of its functions reachable via AJAX actions in versions up to, and including, 1.4.6. This makes it possible for unauthenticated attackers to edit, clone, and delete events. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-unauthenticated-event-deletion-vulnerability/_s_id=cve https://wordpress.org/plugins/calendar-event • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de tipo cross-Site Scripting (XSS) Reflejado y Autenticado (suscriptor+) en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-authenticated-reflected-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/calendar-event/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in modules/ecal/display.php in the Event Calendar in bcoos 1.0.10 allows remote attackers to inject arbitrary web script or HTML via the month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the day and year vectors are covered by CVE-2007-6274. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en modules/ecal/display.php en el Event Calendar de bcoos 1.0.10 permite a atacantes remotos inyectar scripts web o HTML de su elección a través del parámetro month. NOTA: El origen de esta información es desconocido; los detalles se han obtenido solamente de información de terceros. NOTA: los vectores día y año son cubiertos en CVE-2007-6274. • http://secunia.com/advisories/26945 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •