WordPress Plugin Vulnerabilities

WP Event Manager < 3.1.42 - Editor+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-event-manager
Fixed in 3.1.42

References

CVE
CVE-2023-49181
URL
https://patchstack.com/database/vulnerability/wp-event-manager/wordpress-wp-event-manager-plugin-3-1-39-cross-site-scripting-xss-vulnerability-2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
8ef20109-125f-47da-9a1a-811f0c05f00e

Timeline

Publicly Published
2023-11-29 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-02-12 (about 2 years ago)

Other

Published
Title
Published
2010-11-05
Title
Feedlist < 2.70.00 - XSS
Published
2024-09-30
Title
SliceWP < 1.1.19 - Reflected Cross-Site Scripting
Published
2025-05-30
Title
FastSpring <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-10-05
Title
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
Published
2024-04-03
Title
ElementsKit Elementor addons < 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget