Description
The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Upgrade Plugin
AI Analysis

Impact

The Event post plugin for WordPress contains a stored cross‑site scripting flaw due to inadequate sanitization and escaping of user supplied attributes in the 'events_list' shortcode. All versions up to and including 5.9.9 are affected. An authenticated user with contributor‑level permissions can embed arbitrary JavaScript payloads that will be persisted in the plugin and executed whenever a page containing the shortcode is accessed. The consequence is the potential theft of cookies or session data, defacement, and other malicious client‑side actions on every visitor of the injected page.

Affected Systems

The vulnerability exists in the WordPress Event post plugin produced by bastho. All plugin releases up to version 5.9.9 are vulnerable.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate risk. The EPSS score of less than 1% suggests a low likelihood of exploitation in the near term, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated contributor or higher role, implying that attackers must first be authorized to post content. Once injected, the malicious script is stored and will run for all users who view the affected page, making the attack vector a stored XSS triggered by the plugin’s shortcode parsing.

Generated by OpenCVE AI on April 21, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Event post plugin to a version newer than 5.9.9 where the input sanitization and output escaping bug has been fixed.
  • Identify and remove any events or posts that contain the vulnerable 'events_list' shortcode with malicious attributes to eliminate the stored payload.
  • Restrict contributor‑level or higher permissions to trusted users or consider revoking contributor access if it is not required to mitigate the risk.

Generated by OpenCVE AI on April 21, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8115 The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Event post <= 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:24.549Z

Reserved: 2025-03-10T14:01:33.153Z

Link: CVE-2025-2167

cve-icon Vulnrichment

Updated: 2025-03-26T14:15:23.383Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T09:15:16.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses