My Calendar 2.5.16 – Authenticated stored XSS

INFO

Product: My Calendar
Version: 2.5.16
Active installations: 30,000+
Product page: https://it.wordpress.org/plugins/my-calendar/

DESCRIPTION

An authenticated user, who can add new events,  can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.

In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.

PROOF OF CONCEPT


My Calendar 2.5.16 is vulnerable, probably earlier versions too. Joe Dolson, My Calendar’s author, was really quick to fix the vulnerability and update the plugin.

02/04/2018 – I send the report
03/04/2018 – My Calendar is updated to version 2.5.17 and the vulnerability is fixed
18/04/2018 – Public disclosure