Stored Cross-Site Scripting Vulnerability in EventPrime for WordPress Plugin
CVE-2024-12024

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Eventprime – Events Calendar, Bookings And Tickets
Vendor
CVE Published:
17 December 2024

Summary

CVE-2024-12024 refers to a significant stored Cross-Site Scripting (XSS) vulnerability present in the EventPrime plugin for WordPress. This vulnerability allows unauthenticated attackers to exploit the em_ticket_category_data and em_ticket_individual_data parameters due to inadequate input sanitization and output escaping present in all versions up to and including 4.0.5.3. If the 'Guest Submissions' feature is enabled, malicious scripts can be injected into pages, triggering execution whenever an administrative user visits a compromised page. Given the potential for extensive exploitation, this vulnerability poses a critical security risk to websites utilizing the EventPrime plugin.

Affected Version(s)

EventPrime – Events Calendar, Bookings and Tickets * <= 4.0.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/eventprime-eve...
https://plugins.trac.wordpress.org/browser/eventprime-eve...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
.