CVE-2023-2406

Name of the Vulnerable Software and Affected Versions The Event Registration Calendar By vcita plugin versions up to and including 3.9.1 Online Payments – Get Paid with PayPal, Square & Stripe plugin versions up to and including 1.3.1

Description The issue is related to Stored Cross-Site Scripting via the email parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with the edit posts capability to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For The Event Registration Calendar By vcita plugin versions up to and including 3.9.1, update to a version that includes proper input sanitization and output escaping for the email parameter. For Online Payments – Get Paid with PayPal, Square & Stripe plugin versions up to and including 1.3.1, update to a version that includes proper input sanitization and output escaping for the email parameter. As a temporary workaround, consider restricting access to the email parameter in the affected plugins until a patch is available.