WordPress Plugin Vulnerabilities

Simple Event Planner < 1.5.5 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape the custom[add_seg][] parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
simple-event-planner
Fixed in 1.5.5

References

CVE
CVE-2022-25611

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
905ee9a3-fd36-4fc4-afb1-484ab1405ead

Timeline

Publicly Published
2022-03-23 (about 4 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-10-02
Title
Generic Elements <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-12
Title
Photospace Responsive < 2.1.2 - Admin+ Stored XSS
Published
2025-05-23
Title
4stats <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-05-24
Title
Social Pixel <= 2.1 - Admin+ Stored XSS
Published
2023-07-12
Title
Variation Swatches for WooCommerce < 2.3.8 - Reflected Cross-Site Scripting