Vigil@nce - WordPress: Cross Site Scripting of dbem_rsvp.php
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a Cross Site Scripting attack in the
dbem_rsvp.php script of the Event Manager plugin of WordPress.
Severity: 2/4
Creation date: 09/09/2010
DESCRIPTION OF THE VULNERABILITY
The WordPress suite handles web contents handling, such as blogs.
The Events Manager plugin handles booking.
The dbem_rsvp.php script permits to book seats for events.
However, this script does not filter its "bookerName",
"bookerEmail", "bookerPhone" and "bookerComment" parameters.
An attacker can therefore generate a Cross Site Scripting attack.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WordPress-Cross-Site-Scripting-of-dbem-rsvp-php-9910