CVE-2021-24813

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
4.8MEDIUM
EPSS
0.2%
top 57.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Events Made EasyE-dynamics Events Made Easy
Timeline
PublishedNov 1
Latest updateMay 24

Description

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/events_made_easy2.2.242.2.24

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-8jpj-47rv-xvr4: The Events Made Easy WordPress plugin before 22022-05-24
CVEList
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting2021-11-01
CVE-2021-24813 (MEDIUM CVSS 4.8) | The Events Made Easy WordPress plug | cvebase.io