CVE-2023-2406 in Event Registration Calendar Plugininfo

Summary

by MITRE • 06/03/2023

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with the edit_posts capability, such as contributors and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/09/2026

The vulnerability identified as CVE-2023-2406 affects two WordPress plugins: Event Registration Calendar By vcita and Online Payments – Get Paid with PayPal Square & Stripe. These plugins expose a stored cross-site scripting flaw through the email parameter, creating a persistent security risk for WordPress installations. The vulnerability specifically impacts versions up to and including 3.9.1 for the calendar plugin and 1.3.1 for the payment plugin, demonstrating how even minor version increments can introduce critical security gaps that affect user data and system integrity.

The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the affected plugins. When authenticated users with edit_posts capability submit data containing malicious scripts through the email parameter, these scripts are stored within the application's database and subsequently executed whenever other users access pages containing the injected content. This represents a classic stored XSS vulnerability pattern that aligns with CWE-79, which categorizes improper neutralization of input during web page generation as a primary cause of cross-site scripting attacks. The vulnerability's classification under CWE-79 reflects the fundamental issue of failing to properly validate and escape user-supplied data before incorporating it into dynamic web content.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within WordPress environments. Contributors and above, who typically have limited publishing privileges, can leverage this vulnerability to inject malicious code that executes in the context of other users' browsers. This creates potential for session hijacking, credential theft, and data exfiltration attacks. The attack vector is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who should normally be restricted from performing such actions. The vulnerability effectively undermines WordPress's access control mechanisms by allowing lower-privilege users to execute code that could compromise the entire site.

Security professionals should prioritize immediate remediation through plugin updates to versions that address the input sanitization and output escaping deficiencies. The ATT&CK framework categorizes this type of vulnerability under T1566, which encompasses credential access techniques through social engineering and exploitation of application vulnerabilities. Organizations should implement comprehensive monitoring for suspicious user activities and review user capabilities to ensure that only trusted administrators have edit_posts privileges. Additionally, implementing content security policies and regular security audits of WordPress plugins can help prevent similar vulnerabilities from being exploited in the future. The vulnerability highlights the critical importance of validating all user inputs and properly escaping output in web applications, particularly those handling sensitive data like email addresses and payment information.

Responsible

Wordfence

Reservation

04/28/2023

Disclosure

06/03/2023

Moderation

accepted

CPE

ready

EPSS

0.00755

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!