WordPress Plugin Vulnerability Report – Modern Events Calendar Lite – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2023-4021
Plugin Name: Modern Events Calendar Lite
Key Information:
Software Type: Plugin
Software Slug: modern-events-calendar-lite
Software Status: Removed
Software Author: webnus/
Software Downloads: 3,047,787
Active Installs: 100,000
Last Updated: September 28, 2023
Patched Versions: 7.1.0
Affected Versions: <7.1.0
Vulnerability Details:
Name: Modern Events Calendar lite < 7.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE: CVE-2023-4021
CVSS Score: 4.4 (medium)
Publicly Published: September 28, 2023
Researcher: Marco Wotschka
Description:
The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Summary:
The Modern Events Calendar Lite plugin for WordPress has a vulnerability in versions up to and including <7.1.0 that allows for Authenticated (Admin+) Stored Cross-Site Scripting. This vulnerability has been patched in version 7.1.0.
Detailed Overview:
The Modern Events Calendar Lite plugin up to version 7.1.0 has an input validation issue that allows authenticated users with admin access to inject arbitrary JavaScript code into pages via the Google API key and Calendar ID fields. This stored cross-site scripting vulnerability can be exploited to execute malicious scripts when a user views a compromised page. The vulnerability was reported by researcher Marco Wotschka and has been addressed in Modern Events Calendar Lite version 7.1.0 through improved input sanitization. This issue poses a risk of malicious code execution and affects multi-site installations and sites where the unfiltered_html capability has been disabled.
Advice for Users:
Immediate Action: Update to Modern Events Calendar Lite version 7.1.0 or higher as soon as possible.
Check for Signs of Vulnerability: Review your site for unauthorized added JavaScript or HTML code.
Alternate Plugins: Consider using alternate calendar plugins like The Events Calendar as a precaution.
Stay Updated: Always keep your plugins updated to avoid potential vulnerabilities.
Conclusion:
This vulnerability demonstrates the importance of timely security updates for WordPress plugins. Users should upgrade to the latest Modern Events Calendar Lite 7.1.0 release that contains the fix for this issue.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/modern-events-calendar-lite
Detailed Report:
Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, outdated plugins can harbor dangerous vulnerabilities that put your site at risk of compromise. One such vulnerable plugin is Modern Events Calendar Lite versions prior to 7.1.0. This popular calendar plugin contains an authenticated stored cross-site scripting vulnerability that could allow malicious scripts to be injected into your site. While the vulnerability has been patched, any site still running an old version of Modern Events Calendar Lite could be exploited. In this post, we’ll break down this recently disclosed vulnerability, assess the risks it poses, and provide actionable advice to help ensure your WordPress site stays secure.
Modern Events Calendar Lite is a free events calendar plugin with over 3 million downloads. It allows you to create and manage events on your WordPress site. However, versions before 7.1.0 contain a stored cross-site scripting (XSS) vulnerability. This issue allows authenticated users with admin access to inject arbitrary JavaScript code into pages via the Google API key and Calendar ID fields. An attacker could exploit this to execute malicious scripts when a user views a compromised page.
This is a serious vulnerability that poses risks of phishing, cookie theft, and full site takeover if exploited. The vulnerability received a CVSS severity score of 4.4 (medium). It affects multi-site installations and sites where unfiltered_html capabilities are restricted.
The good news is that Modern Events Calendar Lite patched this vulnerability in version 7.1.0, released on September 28, 2023. At the time of writing, the plugin has been temporarily removed from the WordPress repository pending verification of the fix.
To protect your site, it is strongly recommended to update to the latest secure version 7.1.0 or higher immediately once it is reinstated. Be sure to delete any existing vulnerable versions. If you cannot update immediately, consider removing the plugin or restricting admin access as a temporary precaution.
This is not the first vulnerability found in Modern Events Calendar Lite. In 2021, a reflected XSS issue was addressed in version 5.14.5. Regularly updating plugins is key to getting timely security fixes.
As a busy small business owner, staying on top of plugin vulnerabilities may not be feasible. Consider having your web developer or agency monitor and manage updates for you. WordPress security plugins like Wordfence can also automatically alert you to outdated software. Prioritizing updates of popular plugins like calendars is wise to avoid becoming an easy target.
Keeping WordPress and its plugins updated is an essential website security practice. The Modern Events Calendar Lite vulnerability illustrates that threats emerge frequently. Taking proactive steps to lock down your site will reduce the chances of a serious breach that could interrupt your business.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.