WordPress Plugin Vulnerabilities

EventPrime < 3.0.0 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.0.0

References

CVE
CVE-2023-33326
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/eventprime-event-calendar-management/eventprime-286-reflected-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-2-8-6-reflected-cross-site-scripting-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
ddfc963d-e35e-48f7-958b-8a4758d25c61

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2025-01-03
Title
MG Parallax Slider <= 1.0 - Reflected Cross-Site Scripting
Published
2025-02-17
Title
Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-12-30
Title
teachPress < 9.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-20
Title
Dynamic "To Top" 3.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-09-26
Title
Loops & Logic < 4.1.5 - Reflected Cross-Site Scripting