Stored Cross-Site Scripting Vulnerability in Eventer Plugin for WordPress
CVE-2024-11132
5.4MEDIUM
Key Information:
- Vendor
- Imithemes
- Status
- Eventer - WordPress Event & Booking Manager Plugin
- Vendor
- CVE Published:
- 3 February 2025
Summary
The Eventer plugin for WordPress has a vulnerability that allows authenticated attackers with contributor-level permissions and higher to exploit insufficient input sanitization and output escaping in user-supplied attributes. This vulnerability enables the injection of arbitrary web scripts via shortcodes, which are executed whenever a user accesses the compromised page. This poses a significant risk to the integrity of the site and the security of its users, as it may allow attackers to manipulate content and potentially steal sensitive information.
Affected Version(s)
Eventer - WordPress Event & Booking Manager Plugin * <= 3.9.9
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
István Márton