Any user with the role of administrator or League Manager is able to store XSS payloads in the custom delimiter setting of events pages. This will then execute on all events pages on the website.
Video PoC: https://youtu.be/J8QZ8S6CiS8
CPE | Name | Operator | Version |
---|---|---|---|
sportspress | lt | 2.7.2 |