Events Manager 5.8.1.1 – Stored XSS

Info

Product: Events Manager
Version: 5.8.1.1
Active installations: 100,000+
Product page: https://it.wordpress.org/plugins/events-manager/
CVE: 2018-9020

Description

An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.

The problem is in the file events-manager.js, the variable mapTitle is not escaped.

Proof of Concept

Events Manager 5.8.1.1 is vulnerable, probably earlier versions too.

Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.

10/01/2018 - I send the report
15/01/2018 - Events Manager is updated to version 5.8.1.2 and the vulnerability is fixed
26/03/2018 - Public disclosure