False Positive: XSS Security Vulnerability Report in EM 5.9.8.1

Posted on November 28, 2020

Update : WPScan has already gotten back to us and removed the security vulnerability linked further down on this post. We hope that other security services will propagate the information quickly. We’re now also aware that BlogVault has started reporting this to users too.

In a nutshell: There’s a reported XSS vulnerability in Events Manager 5.9.8.1, now circulating among some security plugin scanners which is a FALSE POSITIVE (i.e. not true). We’d like to address this here to help avoid confusion this is causing.

We take security very seriously, and always encourage users to privately disclose issues directly to us via our contact form.

This doesn’t always happen, sometimes someone reports this either directly to WordPress. Thankfully, due to our long good standing with the WordPress.org community and fast reactions to any security issues that may arise, they will reach out to us and within the day (when times coincide) we investigate the issue.

This happened back at the end of August. The WordPress plugins team got in touch about a reported issue. We investigated the issue and got back to them immediately.

Thankfully, in this case, it’s a false positive, which was confirmed with the Plugins team.

The claimed XSS vulnerability report stated that an editor can add XSS strings to event and location titles, however, editors are able to do this to Posts and Pages on a vanilla WordPress install without Events Manager or any other plugin installed.

Unfortunately, for some unknown reason, this has made it through to this WPScan, which has now propagated the false-positive to iThemes and JetPack security plugins:

https://wpscan.com/vulnerability/10483

We’re in contact with WPScan to get this resolved. We take security very seriously and will always respond with utmost urgency to any known security report.