CVE-2024-12468
MEDIUMWP Datepicker <= 2.1.4 - Unauthenticated Reflected Cross-Site Scripting via wpdp_get_selected_datepicker Parameter
Title source: llmDescription
The WP Datepicker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpdp_get_selected_datepicker' parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References (17)
Core 17
Core References
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L267
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L271
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L359
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L361
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L377
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L401
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L402
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L408
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L409
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L415
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L416
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L423
Product
https://plugins.trac.wordpress.org/browser/wp-datepicker/tags/2.1.3/inc/wpdp_settings.php#L552
Scores
CVSS v3
6.1
EPSS
0.0046
EPSS Percentile
36.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
androidbubbles/wp_datepicker
< 2.1.4
fahadmahmood/WP Datepicker
< 2.1.4
Published
Dec 24, 2024
Tracked Since
Feb 18, 2026