Description

WordPress Plugin Events Manager is prone to multiple vulnerabilities, including cross-site scripting and code injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials or to execute arbitrary code within the context of the affected webserver process, which may result in total compromise of the web server. WordPress Plugin Events Manager version 5.5.7.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 5.6 or latest

References

https://wordpress.org/plugins/events-manager/changelog/

Related Vulnerabilities

Oracle Database Server CVE-2009-1985 Vulnerability (CVE-2009-1985)

Grafana Server-Side Request Forgery (SSRF) Vulnerability (CVE-2020-13379)

Apache HTTP Server Numeric Errors Vulnerability (CVE-2003-1580)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43735)

Elgg Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-4072)

Severity

High

Classification

CWE-79 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update