WordPress Plugin Vulnerabilities

Mobile Events Manager < 1.4.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Payload used: <script>alert(/XSS/)</script>

- Put the payload in the TMEM Events > Settings > Events > Event prefix field, then Create an event to trigger the XSS
- Put the payload in the TMEM Events > Settings > Client Zone > Application Name field. The XSS will be triggered thought the plugin
- Put the payload in the TMEM Events > Settings > General > Company Name field. The XSS will be triggered in the admin dashboard

Affects Plugins

Plugin icon
mobile-events-manager
Fixed in 1.4.4

References

CVE
CVE-2021-25049
URL
https://plugins.trac.wordpress.org/changeset/2647987

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Varun thorat
Submitter
Varun thorat
Submitter twitter
Extrins1c
Verified
Yes
WPVDB ID
227cbf50-59da-4f4c-85da-1959a108ae7e

Timeline

Publicly Published
2021-12-24 (about 2 years ago)
Added
2021-12-24 (about 2 years ago)
Last Updated
2022-04-10 (about 2 years ago)

Other

Published
Title
Published
2023-10-18
Title
Product Category Tree <= 2.5 - Reflected XSS
Published
2020-05-25
Title
Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2021-10-11
Title
Multiple Plugins from Avirtum - Reflected Cross-Site Scripting
Published
2024-04-18
Title
Customer Reviews for WooCommerce < 5.48.0 - Reflected Cross-Site Scripting via 's'
Published
2024-04-05
Title
Form to Chat App < 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting