CVE-2024-9865 in EventPrime Plugin
Summary
by MITRE • 10/24/2024
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ep_booking_attendee_fields’ fields in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the transaction log for a booking.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/03/2025
The vulnerability identified as CVE-2024-9865 affects the EventPrime WordPress plugin, specifically targeting versions up to and including 4.0.4.7. This plugin serves as an events calendar, bookings, and tickets management system, making it a critical component for event organizers and businesses relying on WordPress platforms. The stored cross-site scripting vulnerability exists within the 'ep_booking_attendee_fields' functionality, which processes attendee information during booking transactions. This flaw represents a significant security risk as it allows attackers to inject malicious scripts that persist in the system and execute whenever users access specific administrative interfaces.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When users submit booking information through the attendee fields, the system fails to properly validate or sanitize the input data before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are insufficient or missing entirely when rendering the stored data in the transaction log interface. This combination of weaknesses creates a persistent XSS vulnerability that can be exploited by unauthenticated attackers without requiring any special privileges or authentication credentials.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with a potential foothold for more sophisticated attacks within the WordPress environment. When legitimate users access the transaction log for bookings, their browsers execute the malicious scripts embedded in the attendee fields, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The stored nature of this vulnerability means that once an attacker successfully injects malicious code, it will continue to execute for any user who accesses the affected transaction log pages until the malicious content is removed from the database. This persistent threat can compromise multiple users over time without requiring repeated exploitation attempts.
Security professionals should consider this vulnerability in the context of CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications. The ATT&CK framework categorizes this type of vulnerability under T1566, specifically targeting the 'Phishing' technique where attackers use web-based attacks to compromise user systems. Organizations should implement immediate mitigations including input validation and output encoding improvements, regular security audits of third-party plugins, and monitoring for suspicious activity in booking transaction logs. The vulnerability also highlights the importance of keeping WordPress plugins updated and following security best practices for input handling, as this issue demonstrates how seemingly minor validation gaps can create significant security risks in widely used plugins.