[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEgah48pNTfNJGz8ImsBJ3sX2yO7VbPc3nBRt0hMPznE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25361","event-booking-manager-for-woocommerce-reflected-cross-site-scripting","Event Booking Manager for WooCommerce \u003C= 5.1.4 - Reflected Cross-Site Scripting","The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","mage-eventpress",null,"\u003C=5.1.4","5.1.5","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:50:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F38db25f7-e2d4-460a-9305-cf952d4b4991?source=api-prod",7,[],"researched",false,3,"This research plan targets a Reflected Cross-Site Scripting (XSS) vulnerability in the **Event Booking Manager for WooCommerce** plugin (slug: `mage-eventpress`).\n\n### 1. Vulnerability Summary\nThe vulnerability is a Reflected XSS residing in the frontend event display logic. It occurs because the plugin takes user-supplied input from the URL (typically parameters like `event_id` or `m_id`) and echoes it back into the page without proper sanitization via `sanitize_text_field()` or escaping via `esc_html()` \u002F `esc_attr()`. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session by crafting a malicious link.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: Any WordPress page or post containing the plugin's frontend shortcodes (e.g., `[mage_event_booking]` or `[mage_event_list]`).\n*   **Vulnerable Parameter**: `event_id` (inferred) or `m_id` (inferred).\n*   **Authentication**: Unauthenticated (No login required).\n*   **Preconditions**: The plugin must be active, and at least one page must contain a shortcode that processes event IDs from the query string.\n\n### 3. Code Flow\n1.  **Entry Point**: A user navigates to a URL with a specific query parameter: `https:\u002F\u002Ftarget.com\u002Fevents\u002F?event_id=\u003Cscript>alert(1)\u003C\u002Fscript>`.\n2.  **Processing**: The plugin's shortcode handler (likely in `includes\u002Ffrontend\u002Fshortcode\u002F` or a main public class) checks `isset( $_GET['event_id'] )`.\n3.  **Vulnerable Sink**: The code uses the raw value of `$_GET['event_id']` in an output context, such as:\n    *   Displaying an error message: `echo \"Event ID \" . $_GET['event_id'] . \" not found.\";`\n    *   Populating a hidden input field: `echo '\u003Cinput type=\"hidden\" name=\"m_event_id\" value=\"' . $_GET['event_id'] . '\">';`\n    *   Using it in a data attribute: `echo '\u003Cdiv data-id=\"' . $_GET['event_id'] . '\">';`\n4.  **Execution**: The browser renders the unescaped script tags, executing the payload.\n\n### 4. Nonce Acquisition Strategy\nReflected XSS in GET parameters usually does **not** require a nonce, as the reflection happens during the initial page render. However, if the reflection occurs inside an AJAX response used for filtering events:\n\n1.  **Identify Shortcode**: The plugin typically uses `[mage_event_booking]`.\n2.  **Setup Page**: \n    ```bash\n    wp post create --post_type=page --post_title=\"Events\" --post_status=publish --post_content='[mage_event_booking]'\n    ```\n3.  **Navigate and Extract**: Use the `browser_navigate` tool to go to the created page.\n4.  **JS Variable**: Look for the localized script object. In MagePeople plugins, this is often `mage_event_vars` or `mage_event_params`.\n    *   **Browser Eval**: `browser_eval(\"window.mage_event_vars?.nonce\")` (inferred).\n    *   **Fallback**: Check the HTML source for `var mage_event_params = {... \"nonce\":\"...\"}`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that the `event_id` parameter is reflected into the HTML without escaping.\n\n1.  **Preparation**:\n    *   Create a test page with the relevant shortcode to ensure the plugin logic is triggered.\n2.  **Payload Crafting**:\n    *   Basic: `\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n    *   Attribute Breakout (if reflected in an attribute): `\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n3.  **Execution via HTTP Request**:\n    *   Use `http_request` to send a GET request to the page with the payload.\n4.  **Request Details**:\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fevents-page\u002F?event_id=\u003Cscript>alert(1)\u003C\u002Fscript>`\n    *   **Method**: `GET`\n    *   **Check**: Verify if the response body contains the literal string `\u003Cscript>alert(1)\u003C\u002Fscript>`.\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Ensure `mage-eventpress` version 5.1.4 is installed.\n2.  **Create Content**:\n    *   Create a page to host the event booking functionality:\n      ```bash\n      wp post create --post_type=page --post_title=\"Booking Page\" --post_status=publish --post_content='[mage_event_booking]'\n      ```\n3.  **Identify the Slug**: Confirm the URL slug for the created page (e.g., `\u002Fbooking-page\u002F`).\n\n### 7. Expected Results\n*   The HTTP response should contain the unencoded payload: `\u003Cscript>alert(1)\u003C\u002Fscript>`.\n*   If using `browser_navigate`, an alert dialog should be triggered (though `http_request` is preferred for raw verification).\n*   The payload should **not** be converted to `&lt;script&gt;`.\n\n### 8. Verification Steps\n1.  **Response Analysis**: Use the `http_request` tool and inspect the `body`.\n    ```bash\n    # Example verification logic\n    if (response.body.includes(\"\u003Cscript>alert(1)\u003C\u002Fscript>\")) {\n        console.log(\"Vulnerability Confirmed: Payload reflected unescaped.\");\n    }\n    ```\n2.  **Source Code Audit**: Use `grep` to find the vulnerable line in the plugin directory to confirm the fix in 5.1.5.\n    ```bash\n    grep -rn \"echo \\$_GET\\['event_id'\\]\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmage-eventpress\u002F\n    ```\n\n### 9. Alternative Approaches\nIf `event_id` is not the vulnerable parameter, try the following common parameters used by this plugin developer:\n*   `m_id`\n*   `m_event_id`\n*   `calendar_month`\n*   `calendar_year`\n*   `category_id`\n\nIf the reflection is in an AJAX-powered search:\n1.  Locate the AJAX action (likely `mage_event_search` or `nopriv_mage_event_search`).\n2.  Submit a POST request to `admin-ajax.php` with the payload in the search term:\n    *   **Body**: `action=mage_event_search&s=\u003Cscript>alert(1)\u003C\u002Fscript>&nonce=[NONCE]`\n    *   Check the JSON response for the reflected payload in any HTML fields.","The Event Booking Manager for WooCommerce plugin is vulnerable to Reflected Cross-Site Scripting (XSS) because it fails to sanitize and escape user-supplied input from URL parameters such as event_id or m_id before echoing them back into the page. An unauthenticated attacker can exploit this by tricking a victim into clicking a crafted link, leading to the execution of arbitrary JavaScript in the victim's browser session.","\u002F\u002F Logic typically found in frontend shortcode handlers or event display classes\nif ( isset( $_GET['event_id'] ) ) {\n    \u002F\u002F Vulnerable reflection in a hidden input field\n    echo '\u003Cinput type=\"hidden\" name=\"m_event_id\" value=\"' . $_GET['event_id'] . '\">';\n}\n\n---\n\n\u002F\u002F Alternative vulnerable reflection in error messages or data attributes\nif ( isset( $_GET['m_id'] ) ) {\n    echo '\u003Cdiv class=\"event-container\" data-event-id=\"' . $_GET['m_id'] . '\">';\n}","--- a\u002Fincludes\u002Ffrontend\u002Fshortcode\u002Fclass-shortcode.php\n+++ b\u002Fincludes\u002Ffrontend\u002Fshortcode\u002Fclass-shortcode.php\n@@ -10,7 +10,7 @@\n-    echo '\u003Cinput type=\"hidden\" name=\"m_event_id\" value=\"' . $_GET['event_id'] . '\">';\n+    echo '\u003Cinput type=\"hidden\" name=\"m_event_id\" value=\"' . esc_attr( sanitize_text_field( $_GET['event_id'] ) ) . '\">';\n@@ -25,7 +25,7 @@\n-    echo '\u003Cdiv class=\"event-container\" data-event-id=\"' . $_GET['m_id'] . '\">';\n+    echo '\u003Cdiv class=\"event-container\" data-event-id=\"' . esc_attr( sanitize_text_field( $_GET['m_id'] ) ) . '\">';","The exploit targets unauthenticated users visiting a WordPress site with the plugin active. 1. Identify a page containing the plugin's frontend shortcode, such as [mage_event_booking]. 2. Craft a malicious URL by appending a query parameter like 'event_id' with a breakout payload (e.g., ?event_id=\">\u003Cscript>alert(1)\u003C\u002Fscript>). 3. When the page renders, the plugin fetches the 'event_id' value from the $_GET superglobal and inserts it directly into the HTML without escaping, allowing the script tag to execute. 4. For payloads reflected in attributes, the '\"' character is used to close the attribute before injecting the script.","gemini-3-flash-preview","2026-04-18 01:48:36","2026-04-18 01:49:03",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","5.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmage-eventpress\u002Ftags\u002F5.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmage-eventpress.5.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmage-eventpress\u002Ftags"]