Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting

Vulnerability

The Modern Events Calendar Lite plugin for WordPress versions before 6.4.0 does not properly sanitize and escape some of the Hourly Schedule parameters. This allows users with a role as low as contributor to perform Stored Cross-Site Scripting (XSS) attacks. The affected versions are all prior to 6.4.0. [1]

Exploitation

An attacker with a contributor-level account (or higher) can craft a malicious payload in the Hourly Schedule fields when creating or editing an event. The plugin fails to sanitize and escape these inputs, so the payload is stored in the database and later executed in the browsers of users viewing the event, such as administrators or other site visitors. [1]

Impact

Successful exploitation leads to stored XSS, which can result in arbitrary JavaScript execution in the context of the victim's session. An attacker could potentially steal cookies, session tokens, or perform actions on behalf of the victim, such as creating new admin users or defacing the site.

Mitigation

The vulnerability is fixed in version 6.4.0 of the Modern Events Calendar Lite plugin. Users are advised to update to this version or later. As of the publication date, no workaround is provided, but updating is the recommended mitigation. [1]