Support » Plugin: Events Manager » vulnerability with plugin?? message from SiteLock

  • Resolved wmbweb


    I got this message today: “Your complimentary SiteLock scanner has found a vulnerability on your website.” SiteLock is connected to, which hosts my site. The scan found a vulnerability related to the events manager plugin. I didn’t find any plugin updates, so I was told to check with the developer of the plugin for any additional patches or information back from them on the plugin. MyDomain/SiteLock support guy said:
    “This is the information that I can provide you….
    Events Manager 5.9.5
    Severity: Critical
    Category: xss
    Summary: Events Manager < 5.9.5 – Multiple XSS
    Description: WordPress plugin Events Manager version 5.9.5 and prior suffers from multiple XSS vulnerabilities. There is multiple stored XSS(Cross-site Scripting) in file events-manager/trunk/admin/settings/tabs/pages.php events-manager-options page. The reason – Unsanitized user’s input from the following parameters: dbem_cp_events_slug dbem_cp_locations_slug dbem_taxonomy_category_slug dbem_taxonomy_tag_slug Exploiting this vulnerability requires authentication. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”

    Anyone know what to do? THANKS!

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support angelo_nwl


    Thanks for letting us know. We’re already aware of this issue and after having reviewed the alleged vulnerable code we’ve concluded that this is a false positive, since only administrators with valid access can change that information. Administrators have the power to upload plugins and inject pretty much anything into posts/pages, so this cannot be considered a vulnerability.

    We are in touch with Sitelock already and working with their engineers to clear this up and hopefully get this code whitelisted, or alternatively adjust our code in the next update so that it doesn’t get flagged by their scanner.

    Great News! Thanks for the update. I got the same multiple XSS vulnerabilities message today.

    Ryan here from

    We have confirmed that the the vulnerability is only exploitable by administrative users and also requires a valid CSRF nonce. Details that were not given by the original researcher.

    Therefore there is no inherent risk. We have deleted the issue from our database.

    Plugin Author Marcus


    Hi everyone (and anyone else reading),

    Just to let you know, a SiteLock engineer reached out to me today to confirm that this was a false positive, as suspected and that it shouldn’t appear any more in your scanner, this is part of their message confirming it:

    After reviewing the content of the vulnerability and reading some more information regarding the submission, we have completely removed the rule from our database.

    @ethicalhack3r I didn’t see this thread myself, but I appreciate you replied so early on.

    • This reply was modified 1 month, 3 weeks ago by Marcus.
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.