CVE-2021-24498
published 2021-08-02CVE-2021-24498: The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.06%
86.0th percentile
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dwbooster | calendar_event_multi_view | < 1.4.01 | 1.4.01 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
detection:
selection:
c-uri|contains: '/php/edit.php'
cs-uri-query|contains|all:
- 'start'
- 'end'
condition: selectionyara↗
rule CVE_2021_24498_Calendar_Event_Multi_View_XSS {
meta:
description = "Detects exploitation of CVE-2021-24498 reflected XSS in Calendar Event Multi View plugin"
cve = "CVE-2021-24498"
strings:
$path = "/php/edit.php" ascii
$param1 = "start" ascii
$param2 = "end" ascii
$xss = "<script" ascii nocase
condition:
$path and ($param1 or $param2) and $xss
}- →Monitor HTTP GET requests to '/php/edit.php' containing 'start' and/or 'end' query parameters with script injection payloads (e.g., <script>, javascript:, onerror=), indicative of reflected XSS exploitation attempts against Calendar Event Multi View plugin. ↗
- →Look for HTTP responses with Content-Type 'text/html' and status 200 from requests to the vulnerable endpoint, as the unsanitised parameters are reflected directly into the HTML page output.
- ·The vulnerability affects Calendar Event Multi View WordPress plugin versions before 1.4.01 only. Ensure version fingerprinting is used to reduce false positives when deploying detections. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-556c-5rxg-4747: The Calendar Event Multi View WordPress plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2021-24498 [MEDIUM] CWE-79 GHSA-556c-5rxg-4747: The Calendar Event Multi View WordPress plugin before 1
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.
VulnCheck
dwbooster calendar_event_multi_view Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-24498 [MEDIUM] dwbooster calendar_event_multi_view Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
dwbooster calendar_event_multi_view Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.
Affected: dwbooster calendar_event_multi_view
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2021-24498
No detection rules found.
Nuclei
WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24498 [MEDIUM] WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting
WordPress Calendar Event Multi View <'
- 'Calendar Details'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# digest: 4b0a004830460221008e56f167c40b055b88fe0883f6cf14501ff1e85bfb7f69016ea2f295dcb24ca5022100c38db35a56bebac46d8fdb04860b900295fe86e390d7b86d9d08b7769bb6db42:922c64590222798bb761d5b6d8e72950
2021-08-02
Published
Exploited in the wild