Stored Cross-Site Scripting Vulnerability in Events Calendar Plugin by WordPress
CVE-2024-10703
Summary
A security vulnerability exists in the Events Calendar plugin for WordPress, where insufficient sanitization and escaping of certain settings allow high privilege users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks. This vulnerability can compromise the security of WordPress sites, especially in multisite configurations where unfiltered_html capability is restricted, potentially enabling attackers to inject malicious scripts that could execute in the context of other users.
Affected Version(s)
Registrations for the Events Calendar 0 < 2.13.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved