------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin ------------------------------------------------------------------------ Job Diesveld, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability has been found in the Events Made Easy WordPress plugin. By using this issue an attacker can create a specially crafted event which, when posted to WordPress, injects malicious JavaScript code into the application. This code will execute within the browser of any user who views the relevant application content. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160729-0001 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in Events Made Easy plugin version 1.6.21. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
