The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
1. Add an event in the plugin with a city meta as: " onmouseover="alert(1)" 2. On a new page, add the [event-list] shortcode. 3. Hover the mouse on the content displayed by shortcode to trigger the XSS. Dependency: WooCommerce plugin.
Lana Codes
Lana Codes
Yes
2023-01-10 (about 8 months ago)
2023-01-10 (about 8 months ago)
2023-01-10 (about 8 months ago)