Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter


SBA Security Advisory – WordPress Plugin – Events Manager – Stored XSS (CVE-2019-16523)

Vulnerability Overview

The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.

  • Type of Vulnerability: Cross-site Scripting
  • Fixed in Version: 5.9.6
  • CVSSv3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  • CVSSv3 Base Score: 7.3 (High)

Recommended Countermeasure

We recommend to update events-manager plugin to version 5.9.6 or later. For further details, see the full security advisory.


Full Security Advisory