CVE-2024-3755
📋 TL;DR
The MF Gig Calendar WordPress plugin through version 1.2.1 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated users with editor-level privileges or higher to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. The vulnerability affects WordPress sites using this plugin.
💻 Affected Systems
- MF Gig Calendar WordPress Plugin
📦 What is this software?
Mf Gig Calendar by Mf Gig Calendar Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker with editor privileges could inject malicious JavaScript that steals administrator credentials, redirects users to malicious sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
An editor-level user could inject persistent scripts that display unwanted content, deface the site, or steal session cookies from other users viewing the affected calendar pages.
If Mitigated
With proper user privilege management and content security policies, the impact is limited to potential defacement or nuisance scripts affecting only users who view the compromised calendar pages.
🎯 Exploit Status
Exploitation requires authenticated access with editor privileges or higher. The vulnerability is in plugin settings that lack proper input sanitization and output escaping.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.2 or later
Vendor Advisory: https://wpscan.com/vulnerability/d34caeaf-2ecf-44a2-b308-e940bafd402c/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Locate 'MF Gig Calendar' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.2.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate mf-gig-calendar
Restrict User Privileges
allTemporarily remove editor privileges from untrusted users
wp user update <user_id> --role=author
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Apply WordPress security plugins that filter XSS payloads and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MF Gig Calendar version. If version is 1.2.1 or earlier, the site is vulnerable.Check Version:
wp plugin get mf-gig-calendar --field=versionVerify Fix Applied:
Verify plugin version is 1.2.2 or later in WordPress admin panel. Test that editor users cannot inject scripts in calendar settings.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin setting modifications by editor users
- Multiple failed XSS filter attempts in security logs
Network Indicators:
- Unexpected JavaScript loading from calendar pages
- Suspicious outbound connections from calendar views
SIEM Query:
source="wordpress" AND (event="plugin_updated" AND plugin="mf-gig-calendar" AND version<="1.2.1") OR (event="user_role_changed" AND new_role="editor")