WordPress Plugin Vulnerabilities

Events Made Easy < 1.6.21 - CSRF to Cross-Site Scripting (XSS)

Description

The plugin does not have CSRF checks in place when adding or editing an event, and do not sanitise some fo the fields. This cold allow an attacker to make a logged in admin create an event with a Cross-Site Scripting payload.

Proof of Concept

Affects Plugins

Plugin icon
events-made-easy
Fixed in 1.6.21

References

URL
https://seclists.org/fulldisclosure/2016/Aug/20
URL
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
ad2037fa-e835-44df-b2c2-c47e2f57f76c

Timeline

Publicly Published
2016-08-04 (about 9 years ago)
Added
2016-08-12 (about 9 years ago)
Last Updated
2021-10-01 (about 4 years ago)

Other

Published
Title
Published
2023-03-06
Title
clickfunnels <= 3.1.1 - Settings Update via CSRF
Published
2024-01-12
Title
Index Now < 2.6.4 - Cross-Site Request Forgery via reset_form
Published
2025-01-16
Title
Marquee Style RSS News Ticker <= 3.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-03-11
Title
Mobile Themes <= 1.1.1 - Cross-Site Request Forgery
Published
2025-03-24
Title
Map Contact <= 3.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting