Reflected Cross-Site Scripting Vulnerability in Quick Event Manager Plugin by WordPress
CVE-2023-23491

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Quick Event Manager WordPress Plugin
Vendor: CVE Published:; 20 January 2023

Summary

The Quick Event Manager plugin for WordPress, prior to version 9.7.5, is vulnerable to reflected cross-site scripting. This vulnerability is triggered through improper handling of input in the 'category' parameter of its 'qem_ajax_calendar' action, allowing attackers to inject malicious scripts. Users are advised to update to the latest version to mitigate exposure.

Affected Version(s)

Quick Event Manager WordPress Plugin < 9.7.5

References

https://www.tenable.com/security/research/tra-2023-3

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 20, 2023
Vulnerability Reserved
Jan 12, 2023