5 matches found
CVE-2022-1905
The CVE-2022-1905 entry documents an SQL injection in the WordPress plugin “Events Made Easy” before version 2.2.81. The vulnerability arises from improper sanitisation and escaping of a parameter used in a SQL statement via an unauthenticated AJAX action, allowing an attacker to inject SQL. The ...
CVE-2023-28660
CVE-2023-28660 affects the WordPress Events Made Easy plugin (versions ≤ 2.3.14). The vulnerability is an authenticated SQL injection in the eme_recurrences_list action via the search_name parameter, enabling SQLi with the attacker’s authenticated session. CVSSv3 base 8.8 (HIGH) reflects impact o...
CVE-2021-25030
CVE-2021-25030 : The WordPress plugin Events Made Easy (before 2.2.36) fails to sanitize and escape the search_text parameter used in the eme_searchmail AJAX action, enabling SQL injection when called by any authenticated user (e.g., roles as low as a subscriber). The vulnerability stems from imp...
CVE-2021-24813
CVE-2021-24813 affects the WordPress plugin Events Made Easy prior to version 2.2.24. The vulnerability arises from insufficient sanitisation/escaping of Custom Field Names in the form field handling, enabling an authenticated, high-privilege user to perform stored XSS even if unfiltered_html is ...
CVE-2023-0404
CVE-2023-0404 affects the Events Made Easy WordPress plugin (versions up to and including 2.3.16). The root cause is a missing capability check on several AJAX-related functions, enabling authenticated users with subscriber-level permissions and above to call administrator-only actions. Impact is...