Eventify <= 2.1 - Admin+ Stored XSS

Vulnerability

The Eventify™ WordPress plugin through version 2.1 fails to sanitize and escape some of its settings, making it susceptible to stored cross-site scripting (XSS) attacks. This vulnerability affects all sites using the plugin, including multisite configurations where the unfiltered_html capability is disallowed for administrators [1].

Exploitation

An attacker must have administrative privileges to access the vulnerable settings. By injecting malicious JavaScript into the unsanitized input fields, the attacker can store the payload within the plugin's settings. When other administrators or users with appropriate permissions view the affected settings page, the script executes in their browser [1].

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of other authenticated users. This can result in session hijacking, defacement, or theft of sensitive data. The attack does not require unfiltered_html capability, bypassing standard restrictions in privileged WordPress environments [1].

Mitigation

As of the publication date, no official fix is available. The vendor has not released a patched version. Administrators should restrict access to plugin settings to trusted users and consider removing the plugin if not essential. Monitor for updates from the developer [1].