CVE-2022-0212

Name of the Vulnerable Software and Affected Versions SpiderCalendar WordPress plugin versions 1.5.65 and earlier

Description The issue exists due to insufficient protection of the webpage structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. Specifically, the SpiderCalendar WordPress plugin does not sanitize and escape the callback parameter before outputting it back in the page via the window AJAX action, which is available to both unauthenticated and authenticated users. This leads to a Reflected Cross-Site Scripting issue.

Recommendations For SpiderCalendar WordPress plugin versions 1.5.65 and earlier, consider disabling the window AJAX action until a patch is available. Restrict access to the callback parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.