Unauthorized Cross-Site Scripting Attacks via Event Registrations in Events Calendar WordPress Plugin
CVE-2024-7982
Key Information:
- Vendor
- Events Calendar WordPress plugin
- Status
- Registrations For The Events Calendar
- Vendor
- CVE Published:
- 8 November 2024
Badges
Summary
A security vulnerability exists in the Events Calendar WordPress plugin which fails to properly sanitize and escape certain parameters during the event registration process. This flaw could be exploited by unauthorized users to execute Cross-Site Scripting (XSS) attacks. Such attacks may lead to unauthorized actions or the injection of malicious scripts, ultimately compromising the integrity and security of the affected WordPress site. It is crucial to ensure that your website is updated to version 2.12.4 or later to mitigate this risk.
Affected Version(s)
Registrations for the Events Calendar 0 < 2.12.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved