WordPress Events-Manager plugin version 5.9.7.3 suffers from a cross site scripting vulnerability.
83df48e5ec605121dc98c5046e3dc01a[-] Title : word press plugin events-manager 5.9.7.3 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/events-manager/
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-16
=====================================================================================================
Vulnerable page :
events-manager/admin/bookings/em-cancelled.php
======================================================================================================
Vulnerable Source :
39: echo echo esc_attr($_GET['em_search']) : '';
=======================================================================================================
POC :
http://localhost/wp-content/plugins/events-manager/admin/bookings/em-cancelled.php?em_search=[XSS]
=======================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : [email protected]
************************