WP Event Manager < 3.1.23 – Admin+ Stored Cross-Site Scripting | CVE 2021-24810 | Plugin Vulnerabilities

Description

The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options" field and save the changes: abc"><script>alert('xss')</script>

The XSS will be triggered when accessing the page again.

Affects Plugins

wp-event-manager

Fixed in 3.1.23

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

94670822-0251-4e77-8d7f-b47aa7232e52

Timeline

Publicly Published

2022-02-14 (about 2 years ago)

Added

2022-02-14 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2022-06-22

Title

404s < 3.5.1 - Admin+ Stored Cross-Site Scripting

Published

2021-09-21

Title

OptinMonster < 2.6.1 - Reflected Cross-Site Scripting (XSS)

Published

2020-08-17

Title

Sell Photo < 1.0.6 - Authenticated Stored Cross-Site Scripting

Published

2022-02-16

Title

WP Voting Contest < 3.0 - Reflected Cross-Site Scripting

Published

2023-02-28

Title

WP Repost <= 0.1 - Admin+ Stored XSS