My Calendar 2.5.16 Cross Site Scripting

My Calendar versions 2.5.16 and below suffer from a stored cross site scripting vulnerability.

MD5 | 8f8e6c3935799c98f0a10c87a69b6787

An authenticated user, who can add new events,  can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.

In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.

Vulnerability is fixed in My Calendar 2.5.17.

Proof of Concept:
Video PoC:

Related Posts