WP Event Manager < 3.1.23 – Admin+ Stored Cross-Site Scripting | CVE 2021-24810 | Plugin Vulnerabilities

Description

The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options" field and save the changes: abc"><script>alert('xss')</script>

The XSS will be triggered when accessing the page again.

Affects Plugins

wp-event-manager

Fixed in 3.1.23

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

94670822-0251-4e77-8d7f-b47aa7232e52

Timeline

Publicly Published

2022-02-14 (about 3 years ago)

Added

2022-02-14 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-02-24

Title

Ibtana <= 1.2.5.5 - Contributor+ Stored XSS

Published

2017-04-05

Title

Download WordPress Firewall 2 - Authenticated Stored XSS/CSRF

Published

2025-02-03

Title

FM Notification Bar <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-06-07

Title

Formula < 0.5.2 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins

Published

2025-04-02

Title

Lexicata <= 1.0.16 - Reflected Cross-Site Scripting