CVE-2021-25046

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 60.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Modern Events Calendar LiteWebnus Modern Events Calendar Lite
Timeline
PublishedJan 17
Latest updateJan 18

Description

The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/modern_events_calendar_lite6.2.06.2.0

🔴Vulnerability Details

2
GHSA
GHSA-pv7x-h3w5-m6h9: The Modern Events Calendar Lite WordPress plugin before 62022-01-18
CVEList
Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS2022-01-17

💥Exploits & PoCs

1
Exploit-DB
Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)2021-06-11
CVE-2021-25046 (MEDIUM CVSS 5.4) | The Modern Events Calendar Lite Wor | cvebase.io