Events Made Easy < 2.2.24 – Admin+ Stored Cross-Site Scripting | CVE 2021-24813 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Add/Edit a Custom Field (/wp-admin/admin.php?page=eme-formfields) and put the following payload in the Field Name: a<script>alert(/XSS/)</script>

The XSS will be triggered when accessing some pages like Custom Field, Pending Bookings, Approved Bookings

Affects Plugins

events-made-easy

Fixed in 2.2.24

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2607749/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Huy Nguyen

Submitter

Huy Nguyen

Submitter website

https://www.linkedin.com/in/id-laladee/

Verified

Yes

WPVDB ID

a1fe0783-7a88-4d75-967f-cef970b73752

Timeline

Publicly Published

2021-10-04 (about 2 years ago)

Added

2021-10-04 (about 2 years ago)

Last Updated

2022-04-15 (about 2 years ago)

Other

Published

Title

Published

2020-08-10

Title

RSS Feed Widget < 2.8.1 - Authenticated Cross-Site Scripting (XSS)

Published

2014-08-01

Title

floating-tweets - Stored XSS

Published

2016-04-06

Title

Post Duplicator <= 2.16 - Cross-Site Scripting (XSS)

Published

2015-06-18

Title

Ultimate Member 1.2.98-1.2.994 - Reflected Cross-Site Scripting (XSS)

Published

2014-08-01

Title

Catablog < 1.6.3 - Cross Site Scripting