Description
The Events Calendar Made Simple – Pie Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's piecal shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Cross‑Site Scripting leading to arbitrary script execution in visitors’ browsers
Action: Patch Immediately
AI Analysis

Impact

The Pie Calendar plugin for WordPress contains a stored cross‑site scripting flaw that originates in the piecal shortcode. Insufficient input sanitization and output escaping allow an authenticated user with contributor-level access or higher to embed arbitrary JavaScript in the shortcode attributes. When a page containing the malicious shortcode is viewed, the injected script executes in the browsers of any visitors to that page.

Affected Systems

Versions of the Pie Calendar plugin, marketed as Events Calendar Made Simple – Pie Calendar, up to and including version 1.2.5 are vulnerable. The issue affects any WordPress installation that has those plugin versions installed.

Risk and Exploitability

With a CVSS score of 6.4 and an EPSS probability of less than 1 %, the likelihood of exploitation is considered moderate but with low observed activity. The vulnerability is not listed in CISA's KEV catalog, indicating no widespread exploitation has been reported. Attacks require an authenticated contributor or higher to craft the malicious shortcode, after which the compromised content is rendered to any visitor of the affected page.

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pie Calendar plugin to a version newer than 1.2.5, which contains proper input validation and output escaping fixes.
  • If an upgrade is not immediately possible, delete or disable any content that includes the piecal shortcode to remove the stored script payload.
  • Review contributor role permissions and consider restricting the ability to insert shortcodes or modify content, and audit the database for any remaining injected scripts.

Generated by OpenCVE AI on April 21, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4251 The Events Calendar Made Simple – Pie Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's piecal shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 25 Feb 2025 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Jonathanjernigan
Jonathanjernigan pie Calendar
CPEs cpe:2.3:a:jonathanjernigan:pie_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Jonathanjernigan
Jonathanjernigan pie Calendar

Fri, 21 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Feb 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Events Calendar Made Simple – Pie Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's piecal shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Events Calendar Made Simple – Pie Calendar <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jonathanjernigan Pie Calendar
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:50.426Z

Reserved: 2025-02-17T23:48:14.649Z

Link: CVE-2025-1410

cve-icon Vulnrichment

Updated: 2025-02-21T15:26:49.164Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-21T09:15:10.200

Modified: 2025-02-25T03:35:42.633

Link: CVE-2025-1410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses