Events Manager <= 5.8.1.1 - Unauthenticated Stored XSS



Description
An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.

The problem is in the file events-manager.js, the variable mapTitle is not escaped.

15/01/2018 – Events Manager is updated to version 5.8.1.2 and the vulnerability is fixed

Affects Plugin

fixed in version 5.8.1.2

References

CVE 2018-9020
URL https://www.gubello.me/blog/events-manager-authenticated-stored-xss/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Luigi
Submitter Website https://www.gubello.me/blog/
Views 5027
Verified No
WPVDB ID 9047

Timeline

Publicly Published 2018-03-26 (over 1 year ago)
Added 2018-03-28 (over 1 year ago)
Last Updated 2018-03-28 (over 1 year ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin