Headline
CVE-2022-25611: WordPress Simple Event Planner plugin <= 1.5.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack
Authenticated Stored Cross-Site Scripting (XSS) in Simple Event Planner plugin <= 1.5.4 allows attackers with contributor or higher user roles to inject the malicious script by using vulnerable parameter &custom[add_seg][].
Fixed
4.1
CVSS 3.1 score Medium severity
Monitoring Coming soon
Vulnerable versions
<= 1.5.4
PSID
ecc29a0fe24f
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Requires contributor or higher role user authentication.
Credits
Ngo Van Thien (Alliance project)
Publicly disclosed
2022-03-23
Details
Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Simple Event Planner plugin (versions <= 1.5.4).
Solution
Update the WordPress Simple Event Planner plugin to the latest available version (at least 1.5.5).
References
CVE-2022-25611 Plugin changelog