Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS

Vulnerability

The Modern Events Calendar Lite WordPress plugin before version 6.2.0 contains a stored cross-site scripting (XSS) vulnerability in the category addition functionality. Any logged-in user, including those with the subscriber role, can add a category whose parameters are not properly escaped before being displayed in the admin panel. This allows the injection of arbitrary JavaScript code that will execute when an administrator views the category in the admin interface. [1]

Exploitation

An attacker needs only a valid user account with at least the subscriber role on the WordPress site. The attacker can then navigate to the category creation form and insert a malicious payload into one of the category parameters (e.g., name or slug). The payload is stored in the database and later rendered without proper escaping in the admin panel. When an administrator accesses the category management page, the injected script executes in their browser. [1]

Impact

Successful exploitation results in stored XSS within the WordPress admin panel. An attacker can execute arbitrary JavaScript in the context of an administrator's session, potentially leading to session hijacking, privilege escalation, defacement, or further compromise of the site. The impact is limited to the admin panel but can be severe due to the elevated privileges of the victim. [1]

Mitigation

The vulnerability is fixed in version 6.2.0 of the Modern Events Calendar Lite plugin. Users should update to this version or later immediately. No workarounds are documented in the available references. [1]