← back
CVE-2022-2846

Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS

CVSS 4.3 MEDIUMEPSS 2.2%CWE-79CWE-862
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 4.3EPSS 2.2%KEV nãoPoC públicaPatch
Lifecycle
16 Aug 2022Published on NVD
05 Apr 2023Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected products
Unknown · Calendar Event Multi View
public PoCs found2
cve_referencepacketstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/51241unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.htmlhttps://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c