Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting

Vulnerability

The Modern Events Calendar Lite WordPress plugin versions before 5.22.2 fail to escape some of its settings before outputting them in HTML attributes. This vulnerability is a stored cross-site scripting (XSS) issue that affects plugin settings pages. High-privilege users, such as administrators, can inject malicious scripts into settings values that are later rendered unsafely in attribute contexts. The vulnerability is present in all versions prior to the fix introduced in 5.22.2 [1].

Exploitation

An attacker must have administrative-level access to the WordPress site. The attacker edits plugin settings that are not properly escaped, inserting crafted payloads (e.g., using " to break out of an attribute). When the settings are rendered in the admin dashboard or front-end, the injected JavaScript executes. No special network position or user interaction beyond the initial admin configuration is required; the malicious payload persists in the settings and triggers for any user viewing the affected page [1].

Impact

Successful exploitation results in stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the browser of any user visiting the affected page. This can lead to session hijacking, theft of sensitive data, or further privilege escalation within the WordPress admin interface. The vulnerability bypasses the unfiltered_html capability, meaning even users who are normally restricted from posting unfiltered HTML can inject scripts via these settings [1].

Mitigation

Update to Modern Events Calendar Lite version 5.22.2, which fixes the escaping issue [1]. No known workarounds are available; sites running an older version should apply the patch immediately. The vulnerability is publicly disclosed and documented on WPScan. There is no indication that this CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog.