CVE-2023-4021 in Modern Events Calendar Lite Plugin
Summary
by MITRE • 10/25/2023
The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The vulnerability identified as CVE-2023-4021 affects the Modern Events Calendar lite plugin for WordPress, representing a critical stored cross-site scripting flaw that emerged in versions prior to 7.1.0. This security weakness specifically targets the plugin's handling of Google API keys and calendar IDs, creating a persistent vector for malicious code injection that can compromise user sessions and data integrity across affected WordPress installations.
The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When administrators configure the plugin by entering Google API keys and calendar IDs, the application fails to properly validate or sanitize these inputs before storing them in the database. Additionally, the plugin does not adequately escape output when rendering these stored values in web pages, creating conditions where malicious scripts can be permanently embedded in the plugin's configuration data. This stored XSS vulnerability operates through a sophisticated attack chain where authenticated attackers with administrator privileges can inject malicious JavaScript code that persists in the database and executes whenever users access affected pages.
The operational impact of this vulnerability extends beyond simple script execution, as it specifically targets multi-site WordPress installations where the vulnerability manifests more severely. The attack requires an authenticated user with administrator-level permissions or higher, making it particularly dangerous in environments where administrative access is compromised. The vulnerability's scope is limited to installations where unfiltered_html has been disabled, indicating that the plugin's security model assumes certain WordPress configurations and access controls. This means that in standard WordPress installations where unfiltered_html is enabled, the vulnerability may not manifest, but in hardened environments, it presents a significant risk to system integrity and user data protection.
The vulnerability aligns with CWE-79, which categorizes cross-site scripting flaws as one of the most prevalent web application security weaknesses. This classification emphasizes the fundamental nature of the issue as a failure in input validation and output escaping, creating persistent threats that can affect multiple users over time. From an ATT&CK framework perspective, this vulnerability maps to T1566, representing the initial compromise through the exploitation of web application vulnerabilities, and T1059, covering the execution of malicious code through compromised administrative interfaces. The attack vector specifically targets the privilege escalation and persistence phases of the attack lifecycle, allowing attackers to maintain control over affected systems and potentially expand their access to other network resources.
Organizations should immediately update to version 7.1.0 or later to remediate this vulnerability, as the patch addresses the core sanitization and escaping issues that enable the stored XSS attack. Additionally, administrators should review their WordPress configuration settings, particularly regarding unfiltered_html permissions, and implement network monitoring to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly in plugin ecosystems where third-party code interacts with core WordPress functionality and user data management systems.