Multiple XSS vulnerabilities in Events Manager WordPress plugin version 5.3.3 discovered by High-Tech Bridge Security Research Lab, which can be exploited to perform Cross-Site Scripting attacks.
This vulnerabilities exists due to insufficient filtration of user-supplied data in "scope" GET parameter passed to "index.php", "_wpnonce" GET parameter passed to "wp-admin/edit.php", "user_name", "dbem_phone" and "user_email" GET parameters passed to "index.php", "booking_comment" POST parameter passed to "index.php" scripts. A remote attacker can trick user or administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Solution available: Upgrade to Events Manager 5.3.4. Additional details available on advisory HTB23139 - Multiple XSS vulnerabilities in Events Manager WordPress plugin.
Events Manager is a popular WordPress plugin with fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management. It's recommended to upgrade old versions to latest.
No comments:
Post a Comment