WP Event Manager < 3.1.42 – Reflected Cross-Site Scripting via plugin | CVE 2024-0976 | Plugin Vulnerabilities

Description

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

wp-event-manager

Fixed in 3.1.42

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d7f4d17-8318-4ab3-b4a2-81d7a017c397

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Maksim Kosenko

Verified

No

WPVDB ID

f2b06c3c-6403-4d3c-9567-fac05823a4e2

Timeline

Publicly Published

2024-02-23 (about 2 years ago)

Added

2024-02-23 (about 2 years ago)

Last Updated

2024-02-23 (about 2 years ago)

Other

Published

Title

Published

2025-06-05

Title

WP Social Widget < 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-06-12

Title

Walk Score <= 0.5.5 - Multiple XSS

Published

2026-04-07

Title

PrivateContent Free < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute

Published

2024-03-29

Title

Responsive Image Gallery, Gallery Album <= 2.0.3 - Reflected Cross-Site Scripting

Published

2021-08-25

Title

Multiple Plugins - Reflected Cross-Site Scripting via PHPRelativePath Library