EXPLOITS

WordPress Plugin Events Manager Extended - Persistent Cross-Site Scripting

Author: Craw
type: webapps
platform: php
port: 
date_added: 2010-09-06  
date_updated: 2010-09-06  
verified: 0  
codes: OSVDB-67940  
tags: WordPress Plugin  
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comevents-manager-extended.3.1.2.zip  

raw file: 14923.txt  

# Author: Craw
# Email: craw@element7.eu
# Software Link: http://wordpress.org/extend/plugins/events-manager-extended/
# Version: 3.1.2
# Category: webapplications

=======================================================


[+] ExploiT [1] : If you are allowed to leave a comment:

	Persistent XSS Vulnerability: You can inject Javascript Code in your comment.
	The Code will be displayed below the event.


[+] ExploiT [2] : If you are allowed to book an event:

   Persistent XSS Vulnerability: You can inject Javascript Code in [Name] ,  [Email] , [Phonenumber] , [Comment]
   The Code will be displayed in the Wordpress Backend -> http://www.site.com/wp-admin/admin.php?page=events-manager-people


=======================================================
Greetz @ LUXEMBOURG
=======================================================