Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting

Vulnerability

The Timetable and Event Schedule by MotoPress WordPress plugin versions before 2.3.19 lack proper sanitization of certain parameters. This flaw enables stored cross-site scripting (XSS) attacks [2]. The vulnerability is present in the plugin's event scheduling functionality, reachable through the WordPress admin interface [1].

Exploitation

An attacker with author-level privileges or higher can inject malicious JavaScript into parameters that are not sanitized. When other users (including administrators) view the affected event, the script executes in their browser. The attack requires no special network position beyond access to the WordPress backend [1][2].

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim. Both frontend and backend users are at risk [1][2].

Mitigation

The vulnerability is fixed in version 2.3.19. Users should update the plugin to this release or later. As of the publication date (2021-09-13), no other mitigations are documented. The plugin is not listed on CISA's KEV [2].