Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-9459

Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings.

Published

2020-02-28T21:15:13.367

Last Modified

2024-11-21T05:40:41.210

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	webnus	modern_events_calendar_lite	≤ 5.1.6	Yes

References

https://wpvulndb.com/vulnerabilities/10100 Exploit, Third Party Advisory ([email protected])
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/ Exploit, Third Party Advisory ([email protected])
https://wpvulndb.com/vulnerabilities/10100 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)