WordPress Event Manager plugin version 5.8.1.1 suffers from a cross site scripting vulnerability.
baf4458c23251ad71852c73e90d1678d2e8eaaa88fc903857be36dcdba922235Hi,
In January I found a stored XSS in Events Manager 5.8.1.1 - WP plugin (100,000+ downloads). CVE: 2018-9020
An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.
The problem is in the file events-manager.js, the variable mapTitle is not escaped.
Links:
https://www.gubello.me/blog/events-manager-authenticated-stored-xss/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9020
http://wp-events-plugin.com/blog/2018/01/15/events-manager-5-8-1-2-security-release/
Sent with [ProtonMail](https://protonmail.com) Secure Email.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed