WP FEvents Book <= 0.46 – Subscriber+ Stored XSS | CVE 2023-1126 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks

Proof of Concept

1. Create an event page using the plugin.
2. Access the page using an account with Subscriber role.
3. In the 'User notes' section, inject the following XSS payload: `<img src=q onerror=prompt(/XSS/)>`

Affects Plugins

wp-fevents-book

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ameen Alkurdy

Submitter

Ameen Alkurdy

Submitter website

https://ameenalkurdy.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

87ce3c59-b234-47bf-abca-e690b53bbe82

Timeline

Publicly Published

2023-04-03 (about 2 years ago)

Added

2023-04-03 (about 2 years ago)

Last Updated

2023-04-03 (about 2 years ago)

Other

Published

Title

Published

2025-07-11

Title

Contest Gallery < 26.0.7 - Reflected Cross-Site Scripting

Published

2025-11-10

Title

WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-10

Title

MBE eShip < 2.3.0 - Reflected XSS

Published

2021-09-20

Title

WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting

Published

2024-05-17

Title

WP Backpack <= 2.1 - Admin+ Stored XSS