CVE-2013-1407

Exploit

EPSS 0.31%
Veröffentlicht 13.05.2014 14:55:08
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Events Manager < 5.3.5 & Events Manager Pro < 2.2.9 - Cross-Site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

Mögliche Gegenmaßnahme

Events Manager – Calendar, Bookings, Tickets, and more!: Update to version 5.3.5, or a newer patched version

Events Manager Pro: Update to version 2.2.9, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Events Manager – Calendar, Bookings, Tickets, and more!

Version [*, 5.3.5)

SystemWordPress Plugin

≫

Produkt Events Manager Pro

Version [*, 2.2.9)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netweblogic ≫ Events Manager Update- Edition- SwEdition- SwPlatformwordpress Version <= 5.3.4

Netweblogic ≫ Events Manager Version5.3 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Version5.3.1 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Version5.3.2 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Version5.3.2.1 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Version5.3.3 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Update- Edition- SwEdition- SwPlatformwordpress Version <= 2.2.7

Netweblogic ≫ Events Manager Pro Version2.2 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.1 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.2 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.3 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.4 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.5 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.6 Update- Edition- SwEdition- SwPlatformwordpress

Netweblogic ≫ Events Manager Pro Version2.2.8 Update- Edition- SwEdition- SwPlatformwordpress

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.508

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://archives.neohapsis.com/archives/bugtraq/2013-03/0034.html

Patch

Exploit

http://wp-events-plugin.com/blog/2013/01/22/5-3-5-released-includes-a-security-update

Patch

Vendor Advisory

https://www.htbridge.com/advisory/HTB23139

Patch

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c4d2829-9f99-4a2d-9bde-476fae2c99a4

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2013-1407