VYPR

Modern Events Calendar Lite

by Webnus

CVEs (7)

  • CVE-2024-5441HigJul 9, 2024
    risk 0.59cvss 8.8epss 0.01

    The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access…

  • CVE-2022-30533MedJun 16, 2022
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting vulnerability in Modern Events Calendar Lite versions prior to 6.3.0 allows remote an authenticated attacker to inject an arbitrary script via unspecified vectors.

  • CVE-2025-5733MedJun 6, 2025
    risk 0.34cvss 5.3epss 0.00

    The Modern Events Calendar Lite plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 7.21.9. This is due improper or insufficient validation of the id property when exporting calendars. This makes it possible for unauthenticated…

  • CVE-2023-4021MedOct 20, 2023
    risk 0.29cvss 4.4epss 0.00

    The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2022-27848LowApr 14, 2022
    risk 0.22cvss 3.4epss 0.01

    Authenticated (admin+ user) Stored Cross-Site Scripting (XSS) in Modern Events Calendar Lite (WordPress plugin) <= 6.5.1

  • CVE-2021-4458Jul 12, 2025
    risk 0.00cvss epss 0.00

    The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2024-6522Aug 7, 2024
    risk 0.00cvss epss 0.00

    The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web…