CVE-2021-24498
MEDIUM EXPLOITED NUCLEICalendar Event Multi View < 1.4.01 - Reflected Cross-Site Scripting via 'start' and 'end' GET Parameters
Title source: llmExploitation Summary
CVE-2021-24498 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.
Nuclei Templates (1)
WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting
MEDIUMby suman_kar
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/3c5a5187-42b3-4f88-9b0e-4fdfa1c39e86
Scores
CVSS v3
6.1
EPSS
0.0307
EPSS Percentile
85.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2025-06-08
CWE
CWE-79
Status
published
Products (1)
dwbooster/calendar_event_multi_view
< 1.4.01
Published
Aug 02, 2021
Tracked Since
Feb 18, 2026