Description
WordPress Plugin Events Manager Extended is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. WordPress Plugin Events Manager Extended version 3.1.2 is vulnerable; other versions may also be affected.
Remediation
Update to the latest version
References
http://www.exploit-db.com/exploits/14923/
http://packetstormsecurity.com/files/view/93555/wordpressem-xss.txt
Related Vulnerabilities
Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-7853)
IBM WebSEAL Session Fixation Vulnerability (CVE-2018-1804)
IBM WebSEAL CVE-2018-1850 Vulnerability (CVE-2018-1850)
PostgreSQL Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-1899)
Joomla! Core 3.x.x Cross-Site Request Forgery (3.7.0 - 3.9.18)