Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rzfarrell CGM Event Calendar cgm-event-calendar allows Reflected XSS.This issue affects CGM Event Calendar: from n/a through <= 0.8.5.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CGM Event Calendar plugin for WordPress contains an improper neutralization of input during web page generation that allows attackers to inject arbitrary JavaScript via reflected XSS. This flaw permits malicious code to be executed in the browsers of visitors who view the affected event page.

Affected Systems

The vulnerability affects the rzfarrell CGM Event Calendar WordPress plugin versions from the earliest release through 0.8.5. Any site running those versions is at risk; later releases are not impacted.

Risk and Exploitability

The likely attack vector is reflected XSS through malicious URLs or event entries. Based on the description, it is inferred that no explicit prerequisites beyond accessing the vulnerable event page are required, so the user can trigger the vulnerability remotely by visiting a crafted link. The CVSS score of 7.1 indicates a moderate-to-high severity level, and an EPSS score of less than 1% suggests that, as of now, the likelihood of exploitation is low. The flaw is not listed in CISA KEV.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CGM Event Calendar plugin update (0.8.6 or newer) to remove the XSS flaw.
  • If an update cannot be applied, disable the plugin or delete problematic event pages that trigger the flaw.
  • Deploy or enable a web application firewall or XSS filtering plugin to block malicious input and protect remaining sites.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9446 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rzfarrell CGM Event Calendar cgm-event-calendar allows Reflected XSS.This issue affects CGM Event Calendar: from n/a through <= 0.8.5.
Title WordPress CGM Event Calendar <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability WordPress CGM Event Calendar plugin <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 10 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5.
Title WordPress CGM Event Calendar <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.874Z

Reserved: 2025-03-28T11:00:51.876Z

Link: CVE-2025-31462

cve-icon Vulnrichment

Updated: 2025-04-10T14:41:33.910Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:48.483

Modified: 2026-04-23T15:27:52.370

Link: CVE-2025-31462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses