CVE-2021-24498

Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)

EPSS 3.1%CWE-79

Vexday Risk Score

18Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 3.1%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

02 Aug 2021Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.

Affected products

Unknown · Calendar Event Multi View

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/3c5a5187-42b3-4f88-9b0e-4fdfa1c39e86