The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html | |
https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c | Exploit Third Party Advisory |
Configurations
History
05 Apr 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-79 |
06 Oct 2022, 16:33
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
CPE | cpe:2.3:a:dwbooster:calendar_event_multi_view:*:*:*:*:*:wordpress:*:* | |
CWE | CWE-352 | |
References | (MISC) https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c - Exploit, Third Party Advisory |
03 Oct 2022, 14:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-79 CWE-862 |
|
References |
|
|
Summary | The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. |
17 Aug 2022, 14:56
Type | Values Removed | Values Added |
---|---|---|
First Time |
Dwbooster
Dwbooster calendar Event Multi View |
|
References | (MISC) https://vuldb.com/?id.206488 - Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:a:dwbooster:calendar_event_multi_view:-:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
16 Aug 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-16 19:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-2846
Mitre link : CVE-2022-2846
CVE.ORG link : CVE-2022-2846
JSON object : View
Products Affected
dwbooster
- calendar_event_multi_view