WordPress Plugin Vulnerabilities
Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS)
Description
The plugin does not sanitise or escape its "Use your own theme" setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue
Proof of Concept
As admin, put the following payload in the "Use your own theme (enter URL):" option (wp-admin/edit.php?post_type=gg_events&page=gg_event_menu) of the plugin: "><script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-28 (about 2 years ago)
Added
2021-06-28 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)