WordPress WP Event Manager plugin version 3.1.27 suffers from a persistent cross site scripting vulnerability.
cb5312a73f5b91f714b3b64a7d4a985e9b27b678feeae51e27a65c49cef79597# Exploit Title: WordPress Plugin WP Event Manager - Stored Cross Site
Scripting
# Date: 15-05-2022
# Exploit Author: Mariam Tariq - HunterSherlock
# Vendor Homepage: https://wordpress.org/plugins/wp-event-manager/
# Version: 3.1.27
# Tested on: Firefox
# Contact me: mariamtariq404@gmail.com
#Steps To Reproduce :
1 - First Install the plugins - wp-event-manager and activate it.
2 - Go to event manager —> Add New
3 - Inside the “”Event Title” at the top, enter XSS payload “><img src=x
onerror=alert(1)> and hit publish.
4 - Check the newly made event’s URL /event/{id}/ , XSS will trigger.
#Poc Image :
https://imgur.com/J1Q3x5u
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed