E-Dynamics Events Made Easy vulnerabilities

5 known vulnerabilities affecting e-dynamics/events_made_easy.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2023-28660HIGHCVSS 8.8≤ 2.3.142023-03-22
CVE-2023-28660 [HIGH] CWE-89 CVE-2023-28660: The Events Made Easy WordPress Plugin, version <= 2.3.14 is affected by an authenticated SQL injecti The Events Made Easy WordPress Plugin, version <= 2.3.14 is affected by an authenticated SQL injection vulnerability in the 'search_name' parameter in the eme_recurrences_list action.
nvd
CVE-2023-0404MEDIUMCVSS 5.4≤ 2.3.162023-01-19
CVE-2023-0404 [MEDIUM] CWE-862 CVE-2023-0404: The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing cap The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions related to AJAX actions in versions up to, and including, 2.3.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions intended for administrator us
nvd
CVE-2022-1905CRITICALCVSS 9.8fixed in 2.2.812022-06-20
CVE-2022-1905 [CRITICAL] CWE-89 CVE-2022-1905: The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a paramete The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
nvd
CVE-2021-25030HIGHCVSS 8.8fixed in 2.2.362022-01-03
CVE-2021-25030 [HIGH] CWE-89 CVE-2021-25030: The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text par The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks
nvd
CVE-2021-24813MEDIUMCVSS 4.8fixed in 2.2.242021-11-01
CVE-2021-24813 [MEDIUM] CWE-79 CVE-2021-24813: The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
nvd