PT-2019-9653 · Kieran O'Shea · Kieran O'Shea Calendar Plugin

Publicado

2019-05-13

Atualizado

2019-05-13

CVE-2018-18872

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Kieran O'Shea Calendar plugin versions prior to 1.3.11

Description The issue allows for Stored XSS attacks. This can occur through the event title parameter in a "wp-admin/admin.php?page=calendar" add action, or the category name during category creation at the "wp-admin/admin.php?page=calendar-categories" URI.

Recommendations For versions prior to 1.3.11, update to version 1.3.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin.php?page=calendar" and "wp-admin/admin.php?page=calendar-categories" endpoints until the update is applied. Avoid using malicious input for the event title parameter and category name in the affected endpoints.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2018-18872

Produtos afetados

Kieran O'Shea Calendar Plugin

PT-2019-9653 · Kieran O'Shea · Kieran O'Shea Calendar Plugin

CVE-2018-18872

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3