live-aamir
commented
2 months ago @mistry-jignesh This issue is covered in https://github.com/wpeventmanager/wp-event-manager/issues/1649 . Please check.
Closed jathinkj closed 2 months ago
live-aamir
commented
2 months ago @mistry-jignesh This issue is covered in https://github.com/wpeventmanager/wp-event-manager/issues/1649 . Please check.
mistry-jignesh
commented
2 months ago I have verified this issue. Now it is fixed. I have checked issue using provided shortcode . This is working fine. So I closed the issue,
We have the following vulnerability to disclose to you, and the details are outlined below.
Vulnerability Title: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events' Shortcode CVE ID: CVE-2024-2691 CVSS Severity Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): Krzysztof Zając Software Link: https://wordpress.org/plugins/wp-event-manager
Description The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events' shortcode in all versions up to, and including, 3.1.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Proof of Concept [events layout_type='" style=left:-2000px;width:4000px!important;max-width:4000px!important;top:-2000px;height:4000px!important;z-index:99999;background-color:red;position:absolute onmouseover=alert(/xss/) x']
Any Known Public References No known public reference
Recommended Solution We recommend properly sanitizing and escaping all user supplied attributes.
As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.
You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.