Registrations for The Events Calendar < 2.12.4 – Unauthenticated Stored XSS | CVE 2024-7982 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

Proof of Concept

Note: This requires `the-events-calendar` to be installed

1. Add an event
2. As an unauthenticated user, register for the event
3. Enter the payload `ds"><script>alert(2)</script>` for the first and last name
4. As an admin, view the registrations: https://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar
5. Click "Detailed View" and then select the registration containing the payload
6. Click "Edit Selected" and see the XSS

Affects Plugins

registrations-for-the-events-calendar

Fixed in 2.12.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

d79e1e9c-980d-4974-bfbd-d87d6e28d9a6

Timeline

Publicly Published

2024-10-18 (about 1 year ago)

Added

2024-10-18 (about 1 year ago)

Last Updated

2024-10-18 (about 1 year ago)

Other

Published

Title

Published

2024-05-09

Title

EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor < 3.9.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2025-01-06

Title

GDY Modular Content < 0.9.93 - Reflected Cross-Site Scripting

Published

2023-05-30

Title

Unite Gallery Lite < 1.7.62 - Admin+ Stored XSS

Published

2024-07-19

Title

Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

Published

2025-04-10

Title

Coming Soon Countdown <= 2.2 - Reflected Cross-Site Scripting