CVE-2021-24147

CVE-2021-24147: Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)

Vendor Unknown
Product Modern Events Calendar Lite
Weakness CWE-79 · XSS
Published March 18, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.

Key dates

02Disclosure timeline

March 18, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE