CVE-2022-2846

Published: Aug 16, 2022Modified: Jun 17, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.

Affected (1)

Products: Dwbooster: Calendar Event Multi View

1 product

Calendar Event Multi View

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dwbooster Calendar Event Multi View	Before 1.4.07

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html

Source: cna@vuldb.com

https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c

Source: cna@vuldb.com

ExploitThird Party Advisory

http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.