CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4115 – Editorial Calendar < 3.8.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4115
05 Jun 2023 — The Editorial Calendar WordPress plugin before 3.8.3 does not sanitise and escape its settings, allowing users with roles as low as contributor to inject arbitrary web scripts in the plugin admin panel, enabling a Stored Cross-Site Scripting vulnerability targeting higher privileged users. The Editorial Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wheel-support’ parameter accepted by the 'edcal_saveoptions' AJAX action in versions up to, and including, 3.8.0 due to ins... • https://wpscan.com/vulnerability/2b5071e1-9532-4a6c-9da4-d07932474ca4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2013-10023 – Editorial Calendar Plugin edcal.php edcal_filter_where sql injection
https://notcve.org/view.php?id=CVE-2013-10023
13 Feb 2013 — A vulnerability was found in Editorial Calendar Plugin up to 2.6 on WordPress. It has been declared as critical. Affected by this vulnerability is the function edcal_filter_where of the file edcal.php. The manipulation of the argument edcal_startDate/edcal_endDate leads to sql injection. The attack can be launched remotely. • https://github.com/wp-plugins/editorial-calendar/commit/a9277f13781187daee760b4dfd052b1b68e101cc • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •