Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin

[Summer of Pwnage <lists () securify nl>]

------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin
------------------------------------------------------------------------
Job Diesveld, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability has been found in the Events Made
Easy WordPress plugin. By using this issue an attacker can create a
specially crafted event which, when posted to WordPress, injects
malicious JavaScript code into the application. This code will execute
within the browser of any user who views the relevant application
content.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160729-0001

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in Events Made Easy plugin version 1.6.21.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/