Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-4180 — Cross-site Scripting in THE Events Calendar

Severity

9.1CRITICALNVD

EPSS

42.4%

top 2.54%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Timeline

PublishedJun 4

Description

The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

GHSA

GHSA-g32g-9438-h47q: The Events Calendar WordPress plugin before 6↗2024-06-04

▶

CVEList

The Events Calendar < 6.4.0.1 - Reflected XSS↗2024-06-04

▶

Nuclei

The Events Calendar < 6.4.0.1 - Cross-site Scripting

▶