{"id":"CVE-2020-26153","details":"A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.","modified":"2026-04-10T05:10:09.948344Z","published":"2021-07-13T11:15:08.843Z","references":[{"type":"FIX","url":"https://github.com/eventespresso/event-espresso-core/compare/4.10.6.p...4.10.7.p"},{"type":"EVIDENCE","url":"https://labs.nettitude.com/blog/cve-2020-26153-event-espresso-core-cross-site-scripting/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eventespresso/event-espresso-core","events":[{"introduced":"0"},{"fixed":"e60a768c66aec63f818e56646cd968d37b9b8e1e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.10.7.p"}]}}],"versions":["4.10.0.p","4.10.1.p","4.10.2.p","4.10.3.p","4.10.4.p","4.10.5.p","4.10.6.p","4.10.7.p","4.2.0.reg","4.2.1.reg","4.2.2.reg","4.2.3.reg","4.2.4.reg","4.2.5.p","4.2.8.p","4.2.9.p","4.3.1.p","4.4.0.p","4.4.1.p","4.4.2.p","4.4.3.p","4.4.4.p","4.6.25.p","4.8.18.p","4.8.19.p","4.8.20.p","4.8.30.p","4.9.63.p","4.9.64.p","4.9.65.p","4.9.66.p","4.9.67.p","4.9.69.p","4.9.70.p","4.9.71.p","4.9.72.p","4.9.73.p","4.9.74.p","4.9.75.p","4.9.76.p","4.9.77.p","4.9.78.p","4.9.79.p","4.9.80.p","4.9.81.p","4.9.82.p","4.9.9.p"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26153.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}