Description
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-07-16
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the tag‑name parameter enabled for administrators with access to a multisite network where unfiltered_html is disabled
Action: Apply Patch
AI Analysis

Impact

The WP Event Manager plugin allows administrators to inject arbitrary JavaScript into the tag‑name field. Because the input is not properly sanitized or escaped, the injected code is stored and subsequently served to any user who accesses the affected page, leading to an execution environment controlled by the attacker. This stored XSS can be used to deface content, steal session cookies, redirect victims, or serve other malicious payloads.

Affected Systems

All installations of WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin up to and including version 3.1.49. The issue is confined to multisite configurations where the WordPress capability unfiltered_html has been disabled, and only affects administrators or roles with equivalent privileges.

Risk and Exploitability

The CVSS score of 4.4 indicates a low impact when evaluated broadly, but the vulnerability is exploitable only by users who already possess administrator-level credentials and are on a multisite network with the specific unfiltered_html setting. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low probability of widespread exploitation. Nevertheless, the presence of an inactive capability and the requirement for admin access mean that organisations with loose role management may still face a risk of script execution on user‑facing pages.

Generated by OpenCVE AI on April 20, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Event Manager plugin to version 3.1.50 or later on all sites in the multisite network
  • Remove or restrict the unfiltered_html capability so that only trusted administrators can use it, eliminating the attack surface employed by this flaw
  • Configure the site’s access controls to minimize the number of administrators, ensuring that only vetted accounts have sufficient permissions to modify plugin data

Generated by OpenCVE AI on April 20, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21574 The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Fri, 18 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Wp-eventmanager
Wp-eventmanager wp Event Manager
CPEs cpe:2.3:a:wp-eventmanager:wp_event_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp-eventmanager
Wp-eventmanager wp Event Manager

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00027}

Wed, 16 Jul 2025 05:45:00 +0000

Type Values Removed Values Added
Description The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wp-eventmanager Wp Event Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:20.678Z

Reserved: 2025-03-25T19:52:06.849Z

Link: CVE-2025-2799

cve-icon Vulnrichment

Updated: 2025-07-18T14:47:59.709Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-16T06:15:23.303

Modified: 2025-07-16T19:57:17.987

Link: CVE-2025-2799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses