Support » Plugin: Events Manager » XSS Vulnerabilities

  • Long time user of Events Manager. Always has worked well, but just got an error with a recent security scan.

    Here are the details from the scan.
    Wordpress plugin Events Manager vewrion 5.9.5 and prior suffers from multiple XSS vulnerabilities. There is multiple stored XSS(Cross-site Scripting) in file events-manager/trunk/admin/settings/tabs/pages.php events-manager-options page. The reason – Unsanitized user’s input from the following parameters: ….

    Can provide full scan info if interested, but didn’t want to expose the specific parameters in the forum.

    Please advise.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support timrv

    (@timrv)

    Hello,

    Thanks for letting us know. We’re already aware of this issue and after having reviewed the alleged vulnerable code we’ve concluded that this is a false positive, since only administrators with valid access can change that information. Administrators have the power to upload plugins and inject pretty much anything into posts/pages, so this cannot be considered a vulnerability.

    We are in touch with Sitelock already and working with their engineers to clear this up and hopefully get this code whitelisted, or alternatively adjust our code in the next update so that it doesn’t get flagged by their scanner.

    We must stress that currently, we believe this to be a false positive, however we take security seriously and will continue looking into it until the problem is fully resolved.

    Thank you!! Will assume false positive until otherwise informed.

    Plugin Author Marcus

    (@netweblogic)

    Hi everyone (and anyone else reading),

    Just to let you know, a SiteLock engineer reached out to me today to confirm that this was a false positive, as suspected and that it shouldn’t appear any more in your scanner, this is part of their message confirming it:

    After reviewing the content of the vulnerability and reading some more information regarding the submission, we have completely removed the rule from our database.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.