CVE-2014-7138

Name of the Vulnerable Software and Affected Versions Google Calendar Events plugin versions prior to 2.0.4

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the gce feed ids parameter in a "gce ajax" action to "wp-admin/admin-ajax.php".

Recommendations For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" endpoint or avoiding the use of the gce feed ids parameter in the "gce ajax" action until the update is applied.