Advisory:

Cross-site scripting vulnerability in The Events Calendar version 3.0

Vulnerability

Last revised:

This plugin does not escape search terms before emitting them in a message informing users that no results could be found:

http://wordpress.local/events/?tribe-bar-search=%3Cscript%3Ealert(1)%3C%2Fscript%3E

Note: this example may not work in browsers with XSS protection.

The offending code is in lib/template-classes/month.php at line 75.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

Version 3.0.1 has been released which resolves this issue as well as improving the plugin’s hardening. Affected users should upgrade immediately.