CVE-2020-29395
published 2020-11-30CVE-2020-29395: The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
PriorityP345medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
11.70%
95.5th percentile
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| myeventon | eventon | <= 3.0.5 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
exploitdb·2020-12-01
CVE-2020-29395 Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
---
# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
# Date: 27.11.2020
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
# Vendor Homepage: https://www.myeventon.com/
# Version: 3.0.5
# Tested on: Ubuntu 18.04
# CVE : 2020-29395
# Description Link:
https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
"""
~ VULNERABLITY DETAILS ~
https://target/addons/?q=
#
WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected
into the search field.
#
The following python code will inject javascript code and print out url that will be sent to victim.
If you use unicode caracters for xss , exploit will print page source.
##U
Nuclei
Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-29395 [MEDIUM] Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
Wordpress EventON Calendar 3.0.5 is vulnerable to cross-site scripting because it allows addons/?q= XSS via the search field.
Template:
id: CVE-2020-29395
info:
name: Wordpress EventON Calendar 3.0.5 - Cross-Site Scripting
author: daffainfo
severity: medium
description: Wordpress EventON Calendar 3.0.5 is vulnerable to cross-site scripting because it allows addons/?q= XSS via the search field.
impact: |
Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.
remediation: |
Update to the latest version of the Wordpress EventON Calendar plugin (3.0.6) to m
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160282/WordPress-EventON-Calendar-3.0.5-Cross-Site-Scripting.htmlhttps://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSShttps://www.myeventon.com/news/http://packetstormsecurity.com/files/160282/WordPress-EventON-Calendar-3.0.5-Cross-Site-Scripting.htmlhttps://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSShttps://www.myeventon.com/news/
2020-11-30
Published