Description

WordPress Plugin The Events Calendar is prone to an open redirect vulnerability because the application fails to properly verify user-supplied input. Exploiting this issue may allow attackers to redirect users to arbitrary web sites and conduct phishing attacks; other attacks are also possible. WordPress Plugin The Events Calendar version 4.1.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.1.1 or latest

References

https://github.com/moderntribe/the-events-calendar/commit/9b945d4c4df8c4f3fa35726aa64bbf6c08b9e3a9#diff-eb6b6c90251ab33cee784713c451e6d8R314

https://wordpress.org/plugins/the-events-calendar/changelog/

Related Vulnerabilities

WordPress Plugin Google Map Generator Cross-Site Scripting (1.3.1)

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.31)

WordPress Plugin Rekt Slideshow TimThumb Arbitrary File Upload (1.0.5)

WordPress Plugin Special Text Boxes Unspecified Vulnerability (5.5.102)

WordPress Plugin Arigato Autoresponder and Newsletter Multiple Vulnerabilities (2.5.1.6)

Severity

High

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Tags

Missing Update Url Redirection