CVE-2023-4423

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-4423
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-4423.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-4423
Published
2023-09-27T15:19:40.383Z
Modified
2026-03-15T14:46:02.449395Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.37.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

References

Affected packages

Git / github.com/wpeventmanager/wp-event-manager

Affected ranges

Type
GIT
Repo
https://github.com/wpeventmanager/wp-event-manager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cda76d7cf6952390755edd40994885bcbb16ca4a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.1.38"
        }
    ]
}

Affected versions

3.*
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20
3.1.21
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27
3.1.28
3.1.29
3.1.30
3.1.31
3.1.32
3.1.33
3.1.34
3.1.35
3.1.37
3.1.37.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-4423.json"