WordPress EventON <2.2.17 Admin Stored XSS Vulnerability

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: EventON < 2.2.17 - Admin+ Stored XSS 2. Description: The plugin does not sanitize or escape certain settings, allowing high-privilege users (such as administrators) to execute cross-site scripting attacks even when is disabled. 3. PoC (Proof of Concept): - Navigate to: - Click on “Other”. - Enter an XSS payload in the “List” field and save the changes. - Trigger the XSS by pressing ALT + SHIFT + X. - Trigger the XSS by clicking on the “List” field. 4. Affected Plugin: eventon-lite - Fixed in version 2.2.17. 5. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 6. Additional Information: - Original Researcher: Wesley "dk4trin" Santos - Submitter: Wesley "dk4trin" Santos - Submitter Twitter: dk4trin - Verified: Yes - WPVDB ID: 468373c6-7e47-489a-92c1-75025c543fd5 - Published Date: 2024-08-19 - Added Date: 2024-08-19 - Last Updated: 2024-08-19 - Related Vulnerabilities: - Claptastic clap! Button <= 1.3 - Authenticated Cross-Site Scripting (XSS) - Gutenberg Blocks by Kadence Blocks - Page Builder Features < 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer - Mailtree Log Mail < 1.0.1 - Unauthenticated Stored Cross-Site Scripting - Rate Star Review < 1.5.2 - Reflected Cross-Site Scripting - Gutenberg Block Editor Toolkit - EditorsKit < 1.40.5 - Authenticated (Contributor+) Stored Cross-Site Scripting This information provides a detailed description of the vulnerability, its scope, remediation status, and a list of related vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress EventON <2.2.17 Admin Stored XSS Vulnerability

More from this source