WP Event Manager is a lightweight, scalable and full-featured event management plugin for adding event listing functionality to your WordPress site. The shortcode lists all the events, it can work with any theme and is really easy to setup and customise.
Description
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events' shortcode in all versions up to, and including, 3.1.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Proof of Concept
[events layout_type='" style=left:-2000px;width:4000px!important;max-width:4000px!important;top:-2000px;height:4000px!important;z-index:99999;background-color:red;position:absolute onmouseover=alert(/xss/) x']
Any Known Public References
No known public reference
Recommended Solution
We recommend properly sanitizing and escaping all user supplied attributes.
As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.
You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.
As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.
Hello,
We have the following vulnerability to disclose to you, and the details are outlined below.
Vulnerability Title: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events' Shortcode CVE ID: CVE-2024-2691 CVSS Severity Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): Krzysztof Zając Software Link: https://wordpress.org/plugins/wp-event-manager
Description The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events' shortcode in all versions up to, and including, 3.1.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Proof of Concept [events layout_type='" style=left:-2000px;width:4000px!important;max-width:4000px!important;top:-2000px;height:4000px!important;z-index:99999;background-color:red;position:absolute onmouseover=alert(/xss/) x']
Any Known Public References No known public reference
Recommended Solution We recommend properly sanitizing and escaping all user supplied attributes.
As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.
You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.
As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.