Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS

Vulnerability

The Modern Events Calendar Lite WordPress plugin versions before 6.5.2 fail to sanitize and escape certain plugin settings. This allows high-privilege users (e.g., administrators) to inject arbitrary JavaScript into the settings fields. The vulnerability is exploitable even when the unfiltered_html capability is disallowed, such as in multisite configurations [1].

Exploitation

An attacker with administrator-level access to the WordPress admin panel can navigate to the plugin's settings page, locate a vulnerable setting field, and insert a malicious script payload. Upon saving, the payload is stored and executed when the settings page is reloaded or when the setting value is rendered elsewhere in the admin interface. No additional user interaction is required beyond the initial save [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, privilege escalation, or forced administrative actions. The attack is confined to the WordPress admin area but can affect any user who views the compromised settings page [1].

Mitigation

The vulnerability is fixed in version 6.5.2 of the plugin. Users should update to this version or later immediately. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].