EventPrime < 3.2.0 – Reflected HTML Injection on keyword parameter | CVE 2023-5238 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website.

Proof of Concept

Insert '"><a href="www.google.com">Clickme!</a> on the keyword search field or directly on the link https://example.com/index.php/performers/?ep_search=1&keyword='"><a href="https://www.google.com">Clickme!</a> and the Reflected HTML Injection would appear.

Affects Plugins

eventprime-event-calendar-management

Fixed in 3.2.0

References

CVE

Classification

Type

INJECTION

OWASP top 10

CVSS

Miscellaneous

Original Researcher

Miguel Santareno

Submitter

Miguel Santareno

Submitter website

https://miguelsantareno.github.io/

Submitter twitter

MiguelSantareno

Verified

Yes

WPVDB ID

47a5fbfd-f47c-4356-8567-b29dadb48423

Timeline

Publicly Published

2023-10-09 (about 2 years ago)

Added

2023-10-09 (about 2 years ago)

Last Updated

2023-10-09 (about 2 years ago)

Other

Published

Title

Published

2025-04-07

Title

Tutor LMS < 3.4.1 - Subscriber+ HTML Injection

Published

2023-08-07

Title

Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection

Published

2020-10-01

Title

Multiple Themes - Unauthenticated Function Injection

Published

2024-07-17

Title

Cooked Pro < 1.8.0 - Authenticated (Contributor+) HTML Injection

Published

2023-06-23

Title

Supsystic Popup < 1.10.19 - Prototype Pollution