EventPrime < 3.0.0 - Unauthenticated Reflected XSS

2023-05-2200:00:00

wpscan.com

eventprime

unauthenticated

reflected xss

plugin

parameters

admin

EPSS

0.001

Percentile

18.4%

JSON

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

References

patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-2-8-6-reflected-cross-site-scripting-xss

www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/eventprime-event-calendar-management/eventprime-286-reflected-cross-site-scripting

EPSS

0.001

Percentile

18.4%

JSON

Related for WPVDB-ID:DDFC963D-E35E-48F7-958B-8A4758D25C61