← Back

CVE-2013-1407

nvd nist
Published: May 13, 2014Modified: May 6, 2026

JSON object

Loading...
4.3
Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) scope parameter to index.php; (2) user_name, (3) dbem_phone, (4) user_email, or (5) booking_comment parameter to an event with registration enabled; or the (6) _wpnonce parameter to wp-admin/edit.php.

Affected (15)

Netweblogic
2 products
Events Manager
Events Manager Pro
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Netweblogic
Events Manager
Up to 5.3.4
Events Manager
Version 5.3.1
Events Manager
Version 5.3.2.1
Events Manager
Version 5.3.2
Events Manager
Version 5.3.3
Events Manager
Version 5.3
Configuration B
9 vulnerable
Vulnerable SoftwareAffected Versions
Netweblogic
Events Manager Pro
Up to 2.2.7
Events Manager Pro
Version 2.2.1
Events Manager Pro
Version 2.2.2
Events Manager Pro
Version 2.2.3
Events Manager Pro
Version 2.2.4
Events Manager Pro
Version 2.2.5
Events Manager Pro
Version 2.2.6
Events Manager Pro
Version 2.2.8
Events Manager Pro
Version 2.2

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

Source: cve@mitre.org
ExploitPatch
Source: cve@mitre.org
PatchVendor Advisory
Source: cve@mitre.org
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch

Timeline

No history available yet.