CVE-2018-13137 - XSS in The Events Manager

Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 3 2018
Affected Version: 5.9.4 
Fixed Version: 5.9.5 Released on July 18 2018.
Active installations: 100,000+           
Plugin: https://wordpress.org/plugins/events-manager/

Description

Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features. Version 5 now makes events and locations WordPress Custom Post Types, allowing for more possibilities than ever before.

Classification

Type:  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE: CWE-79

Proof of Concept

There is multiple stored XSS(Cross-site Scripting) in file events-manager/trunk/admin/settings/tabs/pages.php events-manager-options page. The reason - Unsanitized user's input from the following parameters:

dbem_cp_events_slug dbem_cp_locations_slug dbem_taxonomy_category_slug dbem_taxonomy_tag_slug

Exploiting this vulnerability requires authentication.
Example:
Locate Event settings page →  http://xxxx/wordpress/wp-admin/edit.php?post_type=event&page=events-manager-options and enter the payload and click save changes. It ll reflected in settings page and other related pages.

dbem_cp_events_slug=events%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E