CVE-2013-1407

Events Manager < 5.3.5 & Events Manager Pro < 2.2.9 - Cross-Site Scripting

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

Múltiples vulnerabilidades de tipo cross-site-scripting (XSS) en el plugin Events Manager anterior a versión 5.3.5 y el plugin Events Manager Pro anterior a versión 2.2.9 para WordPress, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro (1) scope en el archivo index.php; del parámetro (2) user_name, (3) dbem_phone, (4) user_email o (5) booking_comment a un evento con el registro habilitado; o el parámetro (6) _wpnonce en el archivo wp-admin/edit.php.

WordPress Events Manager plugin version 5.3.3 suffers from a cross site scripting vulnerability.

*Credits: High-Tech Bridge Security Research Lab

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-01-19 CVE Reserved
2013-03-07 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
http://archives.neohapsis.com/archives/bugtraq/2013-03/0034.html	2024-08-06
https://www.htbridge.com/advisory/HTB23139	2024-08-06

URL	Date	SRC
http://wp-events-plugin.com/blog/2013/01/22/5-3-5-released-includes-a-security-update	2014-05-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				<= 5.3.4 Search vendor "Netweblogic" for product "Events Manager" and version " <= 5.3.4"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				5.3 Search vendor "Netweblogic" for product "Events Manager" and version "5.3"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				5.3.1 Search vendor "Netweblogic" for product "Events Manager" and version "5.3.1"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				5.3.2 Search vendor "Netweblogic" for product "Events Manager" and version "5.3.2"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				5.3.2.1 Search vendor "Netweblogic" for product "Events Manager" and version "5.3.2.1"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Search vendor "Netweblogic" for product "Events Manager"				5.3.3 Search vendor "Netweblogic" for product "Events Manager" and version "5.3.3"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				<= 2.2.7 Search vendor "Netweblogic" for product "Events Manager Pro" and version " <= 2.2.7"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.1 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.1"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.2 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.2"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.3 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.3"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.4 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.4"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.5 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.5"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.6 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.6"		wordpress		Affected
Netweblogic Search vendor "Netweblogic"		Events Manager Pro Search vendor "Netweblogic" for product "Events Manager Pro"				2.2.8 Search vendor "Netweblogic" for product "Events Manager Pro" and version "2.2.8"		wordpress		Affected