The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Go to “Field Editor” page. Put the following XSS payload into the “Placeholder / Options” field and save the changes: abc"> The XSS will be triggered when accessing the page again.
CPE | Name | Operator | Version |
---|---|---|---|
wp-event-manager | lt | 3.1.23 |