Stored Cross-Site Scripting Vulnerability in EventPrime Plugin
CVE-2024-9864

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Eventprime – Events Calendar, Bookings And Tickets
Vendor: CVE Published:; 24 October 2024

Summary

The Events Calendar, Bookings and Tickets plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping mechanisms. This vulnerability affects all plugin versions up to and including 4.0.4.7. Attackers who are able to submit new events with ticket names can inject arbitrary web scripts into web pages. These scripts execute whenever an affected page is accessed by users, posing significant threats to website security and user data integrity.

Affected Version(s)

EventPrime – Events Calendar, Bookings and Tickets * <= 4.0.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3170503/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 24, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

D.Sim