CVE-2022-25612 WordPress Simple Event Planner plugin <= 1.5.4 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

2022-03-2518:02:36

CWE-79

Patchstack

www.cve.org

wordpress

event planner

1.5.4

authenticated

persistent

xss

vulnerabilities

CVSS3

4.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

EPSS

0.001

Percentile

19.4%

JSON

Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in Simple Event Planner WordPress plugin <= 1.5.4 allows user with author or higher user rights inject the malicious code via vulnerable parameters: &custom[event_organiser], &custom[organiser_email], &custom[organiser_contact].

CNA Affected

[
  {
    "product": "Simple Event Planner (WordPress plugin)",
    "vendor": "PressTigers",
    "versions": [
      {
        "lessThanOrEqual": "1.5.5",
        "status": "affected",
        "version": "<= 1.5.4",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/simple-event-planner/wordpress-simple-event-planner-plugin-1-5-4-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities

wordpress.org/plugins/simple-event-planner/#developers