CVE-2022-0418 – Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0418
The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed El plugin Event List de WordPress versiones anteriores a 0.8.8, no sanea ni escapa de algunos de sus parámetros, permitiendo a usuarios muy privilegiados, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting contra otros administradores, incluso cuando unfiltered_html no esta permitido The Event List WordPress plugin through 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed • https://wpscan.com/vulnerability/74888a9f-fb75-443d-bb85-0120cbb764a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-12068 – Event List <= 0.7.9 - Unauthenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-12068
The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action. El plugin Event List en su versión 0.7.9 para WordPress tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el parámetro slug array para wp-admin/admin.php en una acción el_admin_categories delete_bulk. • https://github.com/kevins1022/cve/blob/master/wordpress-event-list.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •