Mobile Events Manager < 1.4.4 – Admin+ Stored Cross-Site Scripting | CVE 2021-25049 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Payload used: <script>alert(/XSS/)</script>

- Put the payload in the TMEM Events > Settings > Events > Event prefix field, then Create an event to trigger the XSS
- Put the payload in the TMEM Events > Settings > Client Zone > Application Name field. The XSS will be triggered thought the plugin
- Put the payload in the TMEM Events > Settings > General > Company Name field. The XSS will be triggered in the admin dashboard

Affects Plugins

mobile-events-manager

Fixed in 1.4.4

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2647987

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Varun thorat

Submitter

Varun thorat

Submitter twitter

Verified

Yes

WPVDB ID

227cbf50-59da-4f4c-85da-1959a108ae7e

Timeline

Publicly Published

2021-12-24 (about 4 years ago)

Added

2021-12-24 (about 4 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2023-05-16

Title

Contact Form Email < 1.3.38 - Unauthenticated Stored Cross-Site Scripting

Published

2023-04-26

Title

SEO ALert <= 1.59 - Admin+ Stored XSS

Published

2021-07-26

Title

HD Quiz < 1.8.4 - Authenticated Stored XSS

Published

2022-04-25

Title

Tracked Tweets <= 0.2.9 - Reflected Cross-Site Scripting

Published

2024-05-30

Title

WP Back Button <= 1.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting