cbcvebase.
CVE-2021-24876
published 2021-11-29

CVE-2021-24876: The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.17%
63.3th percentile
The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Affected

1 ranges
VendorProductVersion rangeFixed in
roundupwpregistrations_for_the_events_calendar< 2.7.52.7.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=registrations-for-the-events-calendar&tab=registrations&v="+style=animation-name:rotation+onanimationstart=alert(document.domain)//
path/wp-content/plugins/registrations-for-the-events-calendar/
path/wp-admin/admin.php?page=registrations-for-the-events-calendar&tab=registrations
  • Detect exploitation attempts by looking for the unescaped 'v' parameter containing XSS payload in requests to the registrations-for-the-events-calendar admin page
  • Flag HTTP GET requests to /wp-admin/admin.php with query parameters page=registrations-for-the-events-calendar and a 'v' parameter containing HTML/JS injection characters (e.g., quotes, style=, onanimationstart=)
  • Successful exploitation returns HTTP 200 with content-type text/html and reflects the injected payload inside an HTML input attribute in the response body
  • Presence of the plugin path in page body can be used to fingerprint vulnerable installations for targeted scanning
  • ·Exploitation requires the attacker to be authenticated (logged in) to the WordPress instance before the XSS payload can be triggered via the admin panel endpoint
  • ·The vulnerability exists only in plugin versions prior to 2.7.5; instances running 2.7.5 or later are not affected

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.