WordPress Calendar Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Calendar plugin for WordPress, affecting all versions through 1.3.16. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary scripts into event descriptions. These scripts are executed when a user accesses the affected page, provided an administrator has enabled event management for lower privilege users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the event.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts into the 'event_desc' parameter while creating or editing an event. Once the event is saved, the injected script will execute when the event page is viewed, assuming the administrator has permitted lower privilege users to manage calendar events.

Remediation

Users are advised to update the Calendar plugin to version 1.3.17 or later, where this vulnerability has been fixed.