Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting

Vulnerability

The Modern Events Calendar Lite WordPress plugin before version 6.1.5 fails to sanitize and escape the current_month_divider parameter in the mec_list_load_more AJAX call. This call is accessible to both unauthenticated and authenticated users. The unsanitized parameter is reflected back in the AJAX response, leading to a Reflected Cross-Site Scripting (XSS) vulnerability [1].

Exploitation

An attacker can craft a malicious URL with a JavaScript payload in the current_month_divider parameter and trick a victim into clicking it. No authentication is required; the vulnerability is exploitable by unauthenticated users. The AJAX endpoint processes the request and reflects the payload back to the victim's browser, which then executes the injected script in the context of the victim's WordPress session [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session cookies, defacement of the current page, or redirection to malicious sites. The attack is reflected, meaning the impact is limited to the victim's session and does not result in persistent changes to the site [1].

Mitigation

The vulnerability is fixed in version 6.1.5 of the Modern Events Calendar Lite plugin. Administrators should update to this version immediately. Users who cannot update should consider disabling the plugin or restricting access to the AJAX endpoint until a patch can be applied [1].