WordPress My Calendar Plugin Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	51539
Class:	Input Validation Error
CVE:	CVE-2012-6527
Remote:	Yes
Local:	No
Published:	Jan 18 2012 12:00AM
Updated:	Mar 19 2015 07:34AM
Credit:	Dean Batha
Vulnerable:	WordPress My Calendar 1.10.1
Not Vulnerable:	WordPress My Calendar 1.10.5

WordPress My Calendar Plugin Multiple Cross Site Scripting Vulnerabilities

My Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

My Calendar 1.10.1 is vulnerable; other versions may also be affected.

WordPress My Calendar Plugin Multiple Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting user to follow a malicious URI.

WordPress My Calendar Plugin Multiple Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

WordPress My Calendar Plugin Multiple Cross Site Scripting Vulnerabilities

References:

• Changeset 490070 for WordPress My Calendar (WordPress)
  
• Email Newsletter plugin Homepage (WordPress)
  
• WordPress My Calendar Homepage (WordPress)