CVE-2022-36390 Totalsoft Event Calendar - Calendar plugin = 1.4.6 has an authenticated XSS vulnerability.

An attacker can host a maliciously crafted website and trick a user into clicking a malicious link, which will execute arbitrary PHP code on the user’s system. This issue can be exploited by attackers to conduct a Cross-site Scripting (XSS) attack. Totalsoft Event Calendar – Calendar plugin is prone to an Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability. An attacker can host a maliciously crafted website and trick a user into clicking a malicious link, which will execute arbitrary PHP code on the user’s system. This issue can be exploited by attackers to conduct a Cross-site Scripting (XSS) attack. Totalsoft Event Calendar – Calendar plugin is prone to an Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability. What causes the issue? The issue can be caused due to insecure coding practices. The issue might occur due to missing validation of user-supplied data. What are the symptoms? The main indicator of this issue is when an attacker is able to execute malicious code on the user’s system. You might experience any of the following symptoms if this issue occurs: - User is redirected to an attacker’s website - User is spoofed and sent an email/SMS/etc. that looks like it is from the organisation/person she is actually conversing with - User’s session is hijacked and access is given to an attacker

References !

Recommendations:

- Install the update from the vendor site
- Enable validation of user supplied data
- Restrict access to authenticated users only - Enable the ‘Restrict Access to Authenticated Users’ permission
- Audit your code and fix any vulnerabilities related to this issue

User is redirected to an attacker’s website

If the issue occurs, an attacker is able to hijack the user’s session and send them to a malicious website. This might happen if a user clicks on malicious links or follows malicious links posted in their social media feed. What are the possible solutions? The issue can be solved by eliminating insecure coding practices and validating all user-supplied data. Steps to mitigate: - Eliminate insecure coding practices - Validate all user-supplied data

Cross-site Scripting (XSS)

Cross-site Scripting vulnerabilities occur when a flaw exists on an application’s server-side code, which allows malicious scripts to be injected and executed within the context of that application. This typically occurs when input is not properly sanitised before being passed back to the user. Cross-site Scripting (XSS) vulnerabilities are often exploited by attackers who want to steal credentials from unsuspecting users, force a redirection to a website of their choosing or conduct other types of attacks.

Timeline

Published on: 09/21/2022 20:15:00 UTC
Last modified on: 09/23/2022 02:59:00 UTC

References

• https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-authenticated-reflected-cross-site-scripting-xss-vulnerability
• https://wordpress.org/plugins/calendar-event/#developers
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36390