The Eventer WordPress plugin contains a reflected Cross‑Site Scripting vulnerability that arises from improper input sanitization. An attacker can embed malicious JavaScript in a crafted URL that, when clicked by a victim user, executes in the context of the victim’s browser. Because the script runs with the victim’s privileges, the attacker can steal session cookies, hijack accounts, or perform arbitrary actions on behalf of the user. This flaw is identified as CWE‑79 and can be used to deface or compromise the integrity of the site.

The vulnerability affects the imithemes Eventer eventer plugin for WordPress. All installed versions prior to 3.9.9 (including every version up to 3.9.8) are impacted. This includes any host that has the plugin enabled and exposes it to the Internet.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% suggests that, historically, the probability of exploitation in the wild is low, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the flaw is relatively easy to exploit via a malicious link or compromised social media post, making it a reasonable risk for sites that handle sensitive user data or rely on the Eventer plugin for booking functionality. Based on the description, it is inferred that an attacker can craft a malicious URL that a victim clicks, making the attack vector a remote, user‑initiated request. The exploitation conditions are minimal, requiring only a vulnerable version of the plugin and a victim who visits a malicious link.