CVE-2022-27848: 
WordPress vulnerability analysis and mitigation

The Modern Events Calendar Lite WordPress plugin version 6.5.1 and earlier contains an authenticated Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported on April 14, 2022, and was assigned the identifier CVE-2022-27848. This security issue affects the WordPress plugin Modern Events Calendar Lite up to version 6.5.1, with a fix released in version 6.5.2 (Patchstack Report).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS severity rating of 3.4 (Low). The vulnerability requires authentication and can only be exploited by users with administrator or higher privileges. The issue is tracked under CWE-79, which is the Common Weakness Enumeration identifier for Cross-Site Scripting vulnerabilities (Patchstack Report).

If exploited, this vulnerability could allow a malicious actor with administrative access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack Report).

The vulnerability was patched in version 6.5.2 of the Modern Events Calendar Lite plugin. Users are advised to update to version 6.5.2 or later to remove the vulnerability. The plugin has since been closed as of May 11, 2022, and is no longer available for download from the WordPress plugin repository (WordPress Plugin, Patchstack Report).