Modern Events Calendar Lite < 5.1.7 - Multiple Subscriber+ Stored XSS



Description
"Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads."

Affects Plugin

fixed in version 5.1.7

References

CVE 2020-9459
URL https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)
Views 2982
Verified No
WPVDB ID 10100

Timeline

Publicly Published 2020-02-27 (about 1 month ago)
Added 2020-02-28 (about 1 month ago)
Last Updated 2020-03-02 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin