CVE-2024-0614 — Events Manager <= 6.4.6.4 Administrator+ Stored Cross-Site Scritpting via Settings

The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

1. Go to plugin’s setting page /wp-admin/edit.php?post_type=event&page=events-manager-options#general
2. Under Privacy tab, input XSS Payload in Consent Text form <img src onerror=alert(/XSS/)>I consent to my submitted data being collected and stored as outlined by the site %s.
3. Create new event and check “Enable registration for this event”

XSS Payload will triggered on Event Page

Impact

This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Links

• Events Manager <= 6.4.6.4 - Authenticated(Administator+) Stored Cross-Site Scripting via settings - Wordfence
• CVE-2024-0614 Detail - NIST.GOV