Event Geek <= 2.5.2 – Stored Cross-site Scripting (XSS) | CVE 2021-24480 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its "Use your own theme" setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue

Proof of Concept

As admin, put the following payload in the "Use your own theme (enter URL):" option (wp-admin/edit.php?post_type=gg_events&page=gg_event_menu) of the plugin: "><script>alert(/XSS/)</script>

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ABISHEIK M

Submitter

ABISHEIK M

Submitter twitter

Verified

Yes

WPVDB ID

243d417a-6fb9-4e17-9e12-a8c605f9af8a

Timeline

Publicly Published

2021-06-28 (about 4 years ago)

Added

2021-06-28 (about 4 years ago)

Last Updated

2021-08-10 (about 4 years ago)

Other

Published

Title

Published

2025-02-23

Title

Frontend Admin by DynamiApps < 3.25.18 - Reflected Cross-Site Scripting

Published

2024-05-03

Title

Rank Math SEO with AI Best SEO Tools < 1.0.218 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-11-03

Title

Clubmember <= 0.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2024-06-28

Title

Login with phone number < 1.7.36 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-12-03

Title

Multiple Plugins - Contributor+ DOM-Based Stored XSS via FancyBox JavaScript Library