WordPress Plugin Vulnerabilities

Events Manager <= 5.8.1.1 - Unauthenticated Stored XSS

Description

An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.

The problem is in the file events-manager.js, the variable mapTitle is not escaped.

15/01/2018 – Events Manager is updated to version 5.8.1.2 and the vulnerability is fixed

Affects Plugins

Plugin icon
events-manager
Fixed in 5.8.1.2

References

CVE
CVE-2018-9020
URL
https://www.gubello.me/blog/events-manager-authenticated-stored-xss/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Submitter
Luigi
Submitter website
https://www.gubello.me/blog/
Verified
No
WPVDB ID
e7c38907-2d2f-41b4-a58b-f1225aa4c4eb

Timeline

Publicly Published
2018-03-26 (about 8 years ago)
Added
2018-03-28 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2021-12-14
Title
WooCommerce EnvioPack <= 1.2 - Reflected Cross-Site Scripting
Published
2025-02-16
Title
Track Page Scroll <= 1.0.2 - Reflected Cross-Site Scripting
Published
2021-09-06
Title
Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
Published
2022-01-12
Title
Mitsol Social Post Feed < 1.11 - Admin+ Stored Cross-Site Scripting
Published
2022-05-09
Title
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting