CVE-2024-8549
Simple Calendar – Google Calendar Plugin <= 3.4.2 - Reflected Cross-Site ScriptingThe Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
We have discovered 12,564 live websites that are affected by CVE-2024-8549.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 12,564 live websites (40.24% of Simple Calendar install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 100 versions ( 87.72% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 25, 2024
- Updated - Sep 25, 2024
Credits
- Dale Mavers (finder)
CWE
CVE References
CWE References
CVE-2024-8549 usage by Country
 United States | 4,879 websites |
 Germany | 1,604 websites |
 Japan | 936 websites |
 France | 750 websites |
 GB | 400 websites |
 Spain | 325 websites |
 Denmark | 311 websites |
 Netherlands | 297 websites |
 Italy | 232 websites |
 Switzerland | 219 websites |
CVE-2024-8549 usage by TLD
| .com | 3,749 websites |
| .org | 2,354 websites |
| .de | 1,048 websites |
| .fr | 334 websites |
| .net | 323 websites |
| .nl | 301 websites |
| .co.uk | 243 websites |
| .ca | 226 websites |
| .jp | 225 websites |
| .at | 200 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-8549
Top websites that are affected by CVE-2024-8549. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.gov | United States | **,*** | |
| *****.****.cat | Spain | **,*** | |
| *************.org | United States | **,*** | |
| ***.org | United States | **,*** | |
| ****.**.jp | Japan | ***,*** | |
| ******.org | United States | ***,*** | |
| ****.org | United States | ***,*** | |
| ****.com | United States | ***,*** | |
| *******.**.***.br |  Brazil | ***,*** | |
| **********.com | United States | ***,*** |
FAQ
CVE-2024-8549 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Simple Calendar
A total of 12,564 websites have been identified as vulnerable to CVE-2024-8549, discovered through global website indexing conducted by WebTechSurvey.
Simple Calendar is susceptible to CVE-2024-8549 vulnerability.
Simple Calendar versions before, and including, 3.4.2 are vulnerable to CVE-2024-8549.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/17ae3f22-6426-48f7-93e6-c0ad515b329a?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3156894%40google-calendar-events&new=3156894%40google-calendar-events&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset/3156894/google-calendar-events/trunk/includes/admin/notices.php