Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that execute in the browser of any user who views a crafted page in WordPress. The vulnerability, classified as CWE‑79, can lead to credential theft, session hijacking, defacement or distribution of malware. The impact is achieved entirely in the client side and does not require elevated privileges.

The WordPress plugin "Another Events Calendar" from Yendif Player is affected for all releases up through version 1.7.0. Any WordPress site that hosts this plugin without updating to a newer release is vulnerable.

The vulnerability carries a CVSS score of 7.1, indicating moderate to high severity, while the EPSS score is below 1%, showing low current exploitation probability. It is not listed in the CISA KEV catalogue. The attack vector is likely limited to reflected XSS, meaning an attacker simply needs to entice a victim to visit a specially crafted URL containing malicious script payloads. Once the victim loads the page, the script runs with the victim’s user privileges.