CVE-2023-1400

CWE-79Cross-site Scripting (XSS)5 documents4 sources
Severity
4.8MEDIUM
EPSS
0.3%
top 47.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Modern Events Calendar LiteWebnus Modern Events Calendar Lite
Timeline
PublishedMar 27
Latest updateMay 23

Description

The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS2023-03-27
GHSA
GHSA-3cw2-x5r6-wgmh: The Modern Events Calendar Lite WordPress plugin through 52023-03-27

💥Exploits & PoCs

2
Exploit-DB
eScan Management Console 14.0.1400.2281 - Cross Site Scripting2023-05-23
Exploit-DB
eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)2023-05-23
CVE-2023-1400 (MEDIUM CVSS 4.8) | The Modern Events Calendar Lite Wor | cvebase.io