CVE-2022-2846

MEDIUM

Calendar Event Multi View WP <1.4.07 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-2846. PoCs published by Mostafa Farzaneh.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated arbitrary event creation vulnerability in the Calendar Event Multi View WordPress plugin, leading to stored XSS. The PoC provides a form that submits malicious input to create an event with an XSS payload in the 'Subject' field.

Description

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.

Exploits (1)

exploitdb WORKING POC
by Mostafa Farzaneh · textwebappsphp
https://www.exploit-db.com/exploits/51241

This exploit demonstrates an unauthenticated arbitrary event creation vulnerability in the Calendar Event Multi View WordPress plugin, leading to stored XSS. The PoC provides a form that submits malicious input to create an event with an XSS payload in the 'Subject' field.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Calendar Event Multi View WordPress plugin before 1.4.07
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin installed · Ability to submit a POST request to the target endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.3
EPSS 0.0218
EPSS Percentile 80.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862 CWE-352 CWE-79
Status published
Products (1)
dwbooster/calendar_event_multi_view < 1.4.07
Published Aug 16, 2022
Tracked Since Feb 18, 2026