CVE-2013-1407

Netweblogic Events Manager < 5.3.4 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

References (3)

[Exploit, Patch] http://archives.neohapsis.com/archives/bugtraq/2013-03/0034.html

[Patch, Vendor Advisory] http://wp-events-plugin.com/blog/2013/01/22/5-3-5-released-includes-a-security-update

[Exploit, Patch] https://www.htbridge.com/advisory/HTB23139

Scores

EPSS 0.0031

EPSS Percentile 53.6%

Details

CWE

CWE-79

Status published

Products (16)

netweblogic/events_manager < 5.3.4

netweblogic/events_manager

netweblogic/events_manager

netweblogic/events_manager

netweblogic/events_manager

netweblogic/events_manager

netweblogic/events_manager_pro < 2.2.7

netweblogic/events_manager_pro

netweblogic/events_manager_pro

netweblogic/events_manager_pro

... and 6 more

Published May 13, 2014

Tracked Since Feb 18, 2026