CVE-2021-24925

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.3%
top 47.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Modern Events Calendar LiteWebnus Modern Events Calendar Lite
Timeline
PublishedDec 13
Latest updateDec 14

Description

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/modern_events_calendar_lite6.1.56.1.5

🔴Vulnerability Details

2
GHSA
GHSA-jcvw-97r9-7cg7: The Modern Events Calendar Lite WordPress plugin before 62021-12-14
CVEList
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting2021-12-13
CVE-2021-24925 (MEDIUM CVSS 6.1) | The Modern Events Calendar Lite Wor | cvebase.io