Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
Description
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Modern Events Calendar Lite < 5.22.3 fails to sanitize plugin settings, allowing authenticated users with admin access to inject stored XSS.
Vulnerability
The Modern Events Calendar Lite WordPress plugin before version 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings within the wp-admin dashboard [1]. This allows malicious input to be stored unsanitized in the plugin's configuration, leading to a stored cross-site scripting (XSS) vulnerability [1]. The weakness affects all versions prior to 5.22.3 [1].
Exploitation
An attacker must have authenticated access to the WordPress admin area with sufficient privileges to modify the plugin's settings (e.g., Administrator role) [1]. The attacker then crafts a malicious payload and inserts it into one of the affected settings fields. The payload is stored by the plugin and later executed in the browser of any administrator who views the settings page or other vulnerable output contexts [1]. No additional user interaction beyond viewing the page is required for the XSS to trigger.
Impact
Successful exploitation results in stored cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of the WordPress admin panel [1]. Depending on the attacker's objective, this can lead to session hijacking, forced administrative actions, defacement, or theft of sensitive data visible to the admin session. The CVSS score is 3.8 (low) due to the high privileges required [1].
Mitigation
The vulnerability is fixed in version 5.22.3 of the Modern Events Calendar Lite plugin [1]. Users should update immediately to that version or later. For sites that cannot update, restricting access to the plugin settings to only fully trusted administrators is a partial workaround, but updating is the only complete fix.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Modern Events Calendar Litedescription
- Range: <5.22.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping in plugin settings fields allows stored cross-site scripting."
Attack vector
An attacker who has access to adjust settings within wp-admin (e.g., a user with sufficient WordPress privileges) can inject arbitrary JavaScript into plugin settings fields. Because the plugin fails to sanitize or escape these values [CWE-79], the injected script is stored and later executed in the browser of any administrator or user who views the affected settings page. The attack requires authenticated access but does not require any special network-level preconditions beyond standard WordPress admin access.
Affected code
The advisory does not specify exact files or functions. The vulnerability exists in the settings handling of the Modern Events Calendar Lite plugin for WordPress, where user-supplied values are not properly sanitized or escaped before being stored or output.
What the fix does
The advisory states the vulnerability is fixed in version 5.22.3 of the Modern Events Calendar Lite plugin. No patch diff is provided in the bundle, but the fix presumably introduces proper sanitization and escaping of user-supplied values before they are stored or rendered in settings pages, preventing the injection of arbitrary HTML or JavaScript.
Preconditions
- authAttacker must have authenticated access to the WordPress admin area with permission to adjust plugin settings.
- configThe vulnerable plugin version must be earlier than 5.22.3.
- networkThe attacker must be able to reach the wp-admin settings page for the Modern Events Calendar Lite plugin.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/576cc93d-1499-452b-97dd-80f69002e2a0mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.