WordPress Event Manager 5.8.1.1 Cross Site Scripting

WordPress Event Manager plugin version 5.8.1.1 suffers from a cross site scripting vulnerability.


MD5 | 9e1bd039b3d6e797b1722ceed646c3a7

Hi,
In January I found a stored XSS in Events Manager 5.8.1.1 - WP plugin (100,000+ downloads). CVE: 2018-9020

An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.

The problem is in the file events-manager.js, the variable mapTitle is not escaped.

Links:
https://www.gubello.me/blog/events-manager-authenticated-stored-xss/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9020
http://wp-events-plugin.com/blog/2018/01/15/events-manager-5-8-1-2-security-release/

Sent with [ProtonMail](https://protonmail.com) Secure Email.

Related Posts

Comments