WordPress Plugin Vulnerabilities

RSVP and Event Management < 2.7.5 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape various parameters before outputting them back in attributes in admin pages, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
rsvp
Fixed in 2.7.5

References

URL
https://plugins.trac.wordpress.org/changeset/2657201

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
e5067015-beeb-4517-8272-4e69f83896ec

Timeline

Publicly Published
2022-01-14 (about 4 years ago)
Added
2022-01-14 (about 4 years ago)
Last Updated
2022-01-14 (about 4 years ago)

Other

Published
Title
Published
2021-11-14
Title
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Events Manager Extended - Stored XSS
Published
2025-04-02
Title
Advanced Typekit <= 1.0.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-08-26
Title
XmasB Quotes <= 1.6.1 - Reflected Cross-Site Scripting
Published
2024-07-04
Title
WP Directory Kit < 1.3.6 - Reflected Cross-Site Scripting