Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-1407

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

Published

2014-05-13T14:55:08.767

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-79
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application netweblogic events_manager ≤ 5.3.4 Yes
Application netweblogic events_manager 5.3 Yes
Application netweblogic events_manager 5.3.1 Yes
Application netweblogic events_manager 5.3.2 Yes
Application netweblogic events_manager 5.3.2.1 Yes
Application netweblogic events_manager 5.3.3 Yes
Application netweblogic events_manager_pro ≤ 2.2.7 Yes
Application netweblogic events_manager_pro 2.2 Yes
Application netweblogic events_manager_pro 2.2.1 Yes
Application netweblogic events_manager_pro 2.2.2 Yes
Application netweblogic events_manager_pro 2.2.3 Yes
Application netweblogic events_manager_pro 2.2.4 Yes
Application netweblogic events_manager_pro 2.2.5 Yes
Application netweblogic events_manager_pro 2.2.6 Yes
Application netweblogic events_manager_pro 2.2.8 Yes
References