CVE-2020-29395 XSS in WordPress plugin EventON
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 6.1 Medium. CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1.3 Affected Version
EventON plugin through 3.0.5
1.4 Vulnerability Attribution
This vulnerability is disclosed by the vendor themselves.
1.5 Risk Impact
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system.
WordPress is used by more than 60 million websites, including 33.6% of the top 10 million websites as of April 2019, WordPress is one of the most popular content management system solutions in use. WordPress has also been used for other application domains such as pervasive display systems (PDS).
This vulnerability can be used by attacker to infect all end-user browsers which can be further used for DDOS. Exploit is publicly available here.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)- Web has capability that can detect all types of XSS injection attack and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.