Cross-Site Scripting Vulnerability in Google Calendar Events Plugin for WordPress
CVE-2014-7138

Currently unrated

Key Information:

Vendor: Wordpress
Status: Google Calendar Events
Vendor: CVE Published:; 16 October 2014

Summary

The Google Calendar Events plugin for WordPress is affected by a Cross-Site Scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web scripts or HTML. This flaw arises through manipulation of the gce_feed_ids parameter during an AJAX request to wp-admin/admin-ajax.php. Exploiting this vulnerability can enable attackers to execute malicious scripts in the context of an unsuspecting user's browser.

References

http://www.securityfocus.com/bid/70370

vdb-entryx_refsource_BID

https://www.htbridge.com/advisory/HTB23235

x_refsource_MISC

https://github.com/pderksen/WP-Google-Calendar-Events/com...

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 16, 2014
Vulnerability Reserved
Sep 22, 2014