Abstract
A Cross-Site Scripting vulnerability was found in the Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
OVE ID
OVE-20160725-0008
Tested versions
This issue was successfully tested on Calendar WordPress Plugin version 1.3.7.
Fix
This issue is resolved in Calendar version 1.3.8.
Introduction
The Calendar WordPress Plugin allows users to manage events and appointments and display them to the world. A Cross-Site Scripting vulnerability was found in the Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
Details
For any page containing a calendar the GET request parameters are appended as hidden inputs when the calendar is configured to have a date switcher. The input isn't properly sanitised and allows an attacker to add attributes to the input, including events.
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. In addition, the calendar must configured to have a date switcher. By default this is disabled.
Proof of concept
Given the post hello-world, which has a calendar, visit the page with the following URL:
http://
The key combination CTRL + ALT + x triggers the onclick event.