WordPress The Holiday Calendar 1.11.2 XSS

Posted on Posted in Exploit

WordPress The Holiday Calendar plugin version 1.11.2 suffers from a cross site scripting vulnerability.

---------- Forwarded message ----------
From: Luciano Pedreira <lpedreira@gmail.com>
Date: 2015-07-20 10:06 GMT-03:00
Subject: CVE_for_Vulnerability_theholidaycalendar
To: cve-assign@mitre.org


In a recent research conducted in the "The Holiday Calendar" plugin (
http://www.theholidaycalendar.com /
https://wordpress.org/plugins/the-holiday-calendar) I found vulnerability
related at Cross Site Scripting.

. The Holiday Calendar plugin Cross Site Scripting Issues

This problem was confirmed in the following versions of the "The Holiday
Calendar", other prior versions maybe also affected.

Version: 1.11.2
(Tested with Mozilla Firefox Browser)


The "The Holiday Calendar" plugin (http://www.theholidaycalendar.com /
https://wordpress.org/plugins/the-holiday-calendar) is affected by Cross
Site Scripting. The variable "thc-month" do not sanitize input data,
allowing attacker to store malicious javascript code in a page.

Proof of Concept to exploit the vulnerability:





This vulnerability was discovered and researched by Luciano Pedreira
(a.k.a. shark)

I wonder how to create a CVE for this publication?

best regards,

Luciano Pedreira

Quelle: Packet storm Security