WordPress Modern Events Calendar Lite plugin <= 6.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Guideline Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Authenticated (admin+ user) Stored Cross-Site Scripting (XSS) in Modern Events Calendar Lite (WordPress plugin) <= 6.5.1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated stored XSS in Modern Events Calendar Lite <=6.5.1 allows admin+ users to inject malicious scripts, leading to site compromise.
Vulnerability
The Modern Events Calendar Lite WordPress plugin versions up to and including 6.5.1 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with administrator-level privileges (or higher) can inject arbitrary JavaScript into the plugin's settings or event data, which is then stored and executed when other users or visitors view the affected pages. [1]
Exploitation
An attacker must have an admin+ account on the WordPress site. They can then craft a malicious payload (e.g., JavaScript) and inject it into a vulnerable input field within the plugin's admin interface. No additional user interaction is required for the stored XSS to execute when the page is loaded by other users. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attack can affect any user who visits the compromised page, including site visitors. [1]
Mitigation
The vendor released version 6.5.2 to fix the vulnerability. However, as of May 11, 2022, the plugin has been permanently closed and removed from the WordPress.org plugin directory due to a guideline violation [2]. Users who have the plugin installed should immediately uninstall it and consider alternative event calendar plugins. If version 6.5.2 is available from other sources, updating to that version will resolve the XSS issue. [1][2]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=6.5.1
- Range: <= 6.5.1
Patches
0modern-events-calendar-liteThis plugin has been removed from the WordPress.org directory on 2022-05-11 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.