CVE-2022-4320
Published: 16 January 2023
Summary
CVE-2022-4320 is a medium-severity an unspecified weakness vulnerability in Mhsoftware Wordpress Events Calendar Plugin. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WordPress Events Calendar plugin before version 1.4.5 is affected by a reflected cross-site scripting vulnerability. The plugin fails to sanitize and escape a parameter before reflecting it back in responses, allowing the flaw to be triggered in the context of a WordPress site.
An attacker can supply a crafted request that executes arbitrary script in the browser of any visitor, including unauthenticated users and high-privilege accounts such as administrators. Successful exploitation yields limited impacts on confidentiality and integrity while leaving availability unaffected, consistent with the reported CVSS vector.
WPScan published a dedicated advisory entry for this issue that identifies the affected plugin versions and the specific parameter handling flaw. The current EPSS score of 0.0414 follows a material rise that peaked at 0.1546 on 2025-12-11 before receding, indicating a period of increased exploitation interest after the original disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51673
Vulnerability details
The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as…
more
high-privilege ones like admin).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.