Events Manager <= 5.8.1.1 - Unauthenticated Stored XSS

Sign up to our free email alerts service for instant vulnerability notifications!

Description
An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.

The problem is in the file events-manager.js, the variable mapTitle is not escaped.

15/01/2018 – Events Manager is updated to version 5.8.1.2 and the vulnerability is fixed

Affects Plugin

fixed in version 5.8.1.2

References

CVE 2018-9020
URL https://www.gubello.me/blog/events-manager-authenticated-stored-xss/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Luigi
Submitter Website https://www.gubello.me/blog/
Views 305
Verified No
WPVDB ID 9047

Timeline

Publicly Published 2018-03-26 (4 months ago)
Added 2018-03-28 (4 months ago)
Last Updated 2018-03-28 (4 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.