CVE-2022-2846
Summary
| CVE | CVE-2022-2846 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-08-16 19:15:00 UTC |
| Updated | 2023-04-05 18:15:00 UTC |
| Description | The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. |
Risk And Classification
Problem Types: CWE-79 | CWE-862
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Dwbooster | Calendar Event Multi View | All | All | All | All |
| Application | Dwbooster | Calendar Event Multi View | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Calendar Event Multi View 1.4.07 Cross Site Scripting ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE-2022-2846 | Calendar Event Multi View Plugin cross-site request forgery | MISC | vuldb.com | |
| Calendar Event Multi View <= 1.4.06 - Unauthenticated Arbitrary Event Creation to Stored XSS WordPress Security Vulnerability | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Mostafa Farzaneh
There are currently no legacy QID mappings associated with this CVE.