CVE-2022-2846
Published: 16 August 2022
Summary
CVE-2022-2846 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Dwbooster Calendar Event Multi View. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Calendar Event Multi View WordPress plugin before version 1.4.07 is affected by missing authorization and CSRF checks during event creation, combined with inadequate input sanitization and output escaping on certain event fields. This corresponds to CWE-79, CWE-862, and CWE-352, and carries a CVSS 3.1 score of 4.3 reflecting network-accessible impact limited to integrity changes without authentication.
Unauthenticated attackers can therefore submit requests that create arbitrary calendar events containing stored Cross-Site Scripting payloads, which execute in the browsers of users who view the affected events.
Public disclosures on WPScan and Packet Storm document the flaw and confirm that the vendor addressed it in the 1.4.07 release. The associated EPSS score reached a peak of 0.0524 on 2026-04-06 before receding to its current value of 0.0305.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35080
Vulnerability details
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could…
more
allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.