CVE-2022-2846

MEDIUM

Calendar Event Multi View WP <1.4.07 - XSS

Title source: llm

Description

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.

Exploits (1)

exploitdb WORKING POC

by Mostafa Farzaneh · textwebappsphp

https://www.exploit-db.com/exploits/51241

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c

Scores

CVSS v3 4.3

EPSS 0.0305

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-862 CWE-352 CWE-79

Status published

Products (1)

dwbooster/calendar_event_multi_view < 1.4.07

Published Aug 16, 2022

Tracked Since Feb 18, 2026