Eventprime Events Calendar Bookings And Tickets
Monthly
Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.
Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.