CVE-2024-9864 — Cross-site Scripting in Eventprime

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

2.2%

top 15.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Metagauss Eventprime

Timeline

PublishedOct 24

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when front-end users can submit new events with tickets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDmetagauss/eventprime< 4.0.4.8

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Cross-Site Scripting↗2024-10-24

▶

GHSA

GHSA-55gg-5hf5-7f4j: The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versi↗2024-10-24

▶