CVE-2024-10186

Published November 6th, 2024

View on NVD ↗

CVSS v3

6.4

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's events_cal shortcode in all versions up to, and including, 5.9.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Event post

Adds some meta-data to posts to convert them into full calendar events. Each event can be exported into ical(.ics), outlook(vcs), or Google Calendar. Geolocation works thanks to openstreetmap. It can also fetch the weather, but doesn’t bring the sun 🙂 Follow <a href="https://twitter.com/wpeventpost" rel="nofollow ugc">@wpeventpost</a> on Twitter for latest news. Examples on <a href="https://event-post.com/?mtm_campaign=wp-plugin&mtm_kwd=event-post&mtm_medium=wp.org" rel="nofollow ugc">event-post.com</a> <h3>Post metas</h3> Date attributes <ul> <li>Begin Date</li> <li>End Date</li> <li>Color</li> <li>Event Status</li> <li>Event Attendance Mode</li> </ul> Location attributes <ul> <li>Address</li> <li>GPS coordinates</li> <li>Event Virtual Location</li> </ul> WooCommerce compliant You can enable event features on Woocommerce products. The event will be displayed on the product page. Moreover, the product price will be displayed in event list, calendar, map and timeline. This, way, you can sell tickets for your events, effortlessly and without any additional plugin. Weather attribute (for a given location and date if possible) <ul> <li>Weather <ul> <li>Temperature</li> <li>Weather</li> </ul></li> </ul> <h3>Usage</h3> <a href="https://event-post.com/docs/event-post/?mtm_campaign=wp-plugin&mtm_kwd=event-post&mtm_medium=wp.org" rel="nofollow ugc">Plugins/themes developpers documentation</a> <h3>Blocks & Shortcodes</h3> The plugin comes with several blocks/shortcodes which allows to: <ul> <li><code>[events_list]</code>: display a list of events</li> <li><code>[events_map]</code>: display a map of events</li> <li><code>[events_cal]</code>: display a calendar of events</li> <li><code>[event_details]</code>: display a detail of the current event</li> <li><code>[event_term]</code>: display the date range of a given term based on all events it contains</li> </ul> <h3>[events_list]</h3> <h4>Query parameters</h4> <ul> <li>nb=5 (number of post, -1 is all, default: 5)</li> <li>future=1 (boolean, retrieve, or not, events in the future, default = 1)</li> <li>past=0 (boolean, retrieve, or not, events in the past, default = 0)</li> <li>cat=” (string, select posts only from the selected category, default=null, for all categories)</li> <li>tag=” (string, select posts only from the selected tag, default=null, for all tags)</li> <li>tax_name=” (string, custom taxonomy name)</li> <li>tax_term=” (string, the term for above taxonomy)</li> <li>geo=0 (boolean, retreives or not, only events which have geolocation informations, default=0)</li> <li>order=”ASC” (string (can be “ASC” or “DESC”)</li> <li>orderby=”meta_value” (string (if set to “meta_value” events are sorted by event date, possible values are native posts fields : “post_title”,”post_date” etc…)</li> </ul> <h4>Display parameters</h4> <ul> <li>thumbnail=” (Bool, default:false, used to display posts thumbnails)</li> <li>thumbnail_size=” (String, default:”thmbnail”, can be set to any existing size : “medium”,”large”,”full” etc…)</li> <li>excerpt=” (Bool, default:false, used to display posts excerpts)</li> <li>style=” (String, add some inline CSS to the list wrapper)</li> <li>type=”div” (string, possible values are : div, ul, ol default=div)</li> <li>title=” (string, hidden if no events is found)</li> <li>before_title='<h3>’ (string (default <h3>)</li> <li>after_title='</h3>’ (string (default </h3>)</li> <li>container_schema=” (string html schema to display list)</li> <li>item_schema=” (string html schema to display item)</li> </ul> example: <pre><code> [events_list future=1 past=1 cat="actuality" nb=10] </code></pre> container_schema default value: <blockquote> <%type% class=”event_loop %id% %class%” id=”%listid%” style=”%style%” %attributes%> %list% </%type%> </blockquote> item_schema default value: <blockquote> <%child% class=”event_item %class%” data-color=”%color%”> <a href=”%event_link%”> %event_thumbnail% <h5>%event_title%</h5> </a> %event_date% %event_cat% %event_location% %event_excerpt% </%child%> </blockquote> <h3>[events_map]</h3> <ul> <li>nb=5 (number of post, -1 is all, default: 5)</li> <li>future=1 (boolean, retreive, or not, events in the future, default = 1)</li> <li>past=0 (boolean, retreive, or not, events in the past, default = 0)</li> <li>cat=” (string, select posts only from the selected category, default=null, for all categories)</li> <li>tag=” (string, select posts only from the selected tag, default=null, for all tags)</li> <li>tax_name=” (string, custom taxonomy name)</li> <li>tax_term=” (string, the term for above taxonomy)</li> <li>tile=” (string ([email protected], OpenCycleMap, mapquest, osmfr, 2u, satelite, toner), sets the map background, [email protected])</li> <li>title=” (string (default)</li> <li>zoom=” (number or empty (default, means fit to points)</li> <li>before_title='<h3>’; (string (default <h3>)</li> <li>after_title='</h3>’ *(string (default </h3>)**</li> <li>thumbnail=” * (Bool, default:false, used to display posts thumbnails)*</li> <li>excerpt=” (Bool, default:false, used to display posts excerpts)</li> <li>list=” (String (“false”, “above”, “below”, “right”, “left”) default: “false”, Display a list of posts)</li> </ul> example: <pre><code> [events_map future=1 past=1 cat="actuality" nb="-1"] </code></pre> <h3>[events_cal]</h3> <ul> <li>cat=” (string, select posts only from the selected category, default=null, for all categories)</li> <li>date=” (string, date for a month. Absolutly : 2013-9 or relatively : -1 month, default is empty, current month</li> <li>datepicker=1 (boolean, displays or not a date picker)</li> <li>mondayfirst=0 (boolean, weeks start on monday, default is 0 (sunday)</li> <li>display_title=0 (boolean, displays or not events title under the day number)</li> <li>tax_name=” (string, custom taxonomy name)</li> <li>tax_term=” (string, the term for above taxonomy)</li> </ul> example: <pre><code> [events_cal cat="actuality" date="-2 months" mondayfirst=1 display_title=1] </code></pre> <h3>[event_details]</h3> <ul> <li>attribute string (date, start, end, address, location). The default value is NULL and displays the full event bar [event_details attribute=”address”]</li> </ul> <h3>Hooks</h3> <a></a> <h4>Filters</h4> <ul> <li>eventpost_add_custom_box_position</li> <li>event_post_class_calendar_link</li> <li>eventpost_columns_head</li> <li>eventpost_contentbar</li> <li>eventpost_default_list_shema</li> <li>eventpost_get</li> <li>eventpost_get_items</li> <li>eventpost_get_post_types</li> <li>eventpost_get_single</li> <li>eventpost_getsettings</li> <li>eventpost_item_scheme_entities</li> <li>eventpost_item_scheme_values</li> <li>eventpost_list_shema</li> <li>eventpost_listevents</li> <li>eventpost_maps</li> <li>eventpost_multisite_get</li> <li>eventpost_multisite_blogids</li> <li>eventpost_params</li> <li>eventpost_printdate</li> <li>eventpost_printlocation</li> <li>eventpost_bulk_edit_fields</li> <li>eventpost_quick_edit_fields</li> <li>eventpost_retreive</li> <li>event-post-rich-result</li> <li>eventpost_shortcode_slug</li> </ul> <h4>Actions</h4> <ul> <li>evenpost_init</li> <li>eventpost_add_custom_box</li> <li>eventpost_custom_box_date</li> <li>eventpost_custom_box_loc</li> <li>after_eventpost_generator</li> <li>eventpost_getsettings</li> <li>eventpost_settings_form</li> <li>eventpost_after_settings_form</li> </ul>

WordPress Plugin Directory

84.7K