Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eventbee Eventbee RSVP Widget eventbee-rsvp-widget allows DOM-Based XSS.This issue affects Eventbee RSVP Widget: from n/a through <= 1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑based cross‑site scripting flaw caused by improper input neutralization during web page generation. An attacker who can influence the content rendered by the Eventbee RSVP Widget could inject and execute malicious scripts in the victim’s browser. Successful exploitation permits defacement, cookie theft, session hijacking, and other actions that compromise the confidentiality or integrity of the site from the victim’s perspective.

Affected Systems

This weakness exists in the WordPress Eventbee RSVP Widget plugin provided by eventbee. Any installation of the plugin with version 1.0 or earlier is affected; the vulnerable range is listed as n/a through <= 1.0.

Risk and Exploitability

The CVSS base score for this issue is 6.5, indicating a medium severity level. The EPSS score < 1% suggests a low probability of exploitation in the near term, and it is not currently listed in the CISA KEV catalog. The attack vector most likely involves a user visiting a page that renders user‑controlled data from the plugin, as the flaw is DOM‑based. Because there is no known patch or workaround supplied by the CNA, sites remain exposed until the plugin is upgraded or removed.

Generated by OpenCVE AI on May 1, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the newest version of the Eventbee RSVP Widget plugin that addresses the XSS issue.
  • If an immediate upgrade is infeasible, deactivate or uninstall the plugin until an update is available.
  • Add a security policy or WAF rule to block inline script execution on pages containing the widget.

Generated by OpenCVE AI on May 1, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9186 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eventbee Eventbee RSVP Widget allows DOM-Based XSS. This issue affects Eventbee RSVP Widget: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eventbee Eventbee RSVP Widget allows DOM-Based XSS. This issue affects Eventbee RSVP Widget: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eventbee Eventbee RSVP Widget eventbee-rsvp-widget allows DOM-Based XSS.This issue affects Eventbee RSVP Widget: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eventbee Eventbee RSVP Widget allows DOM-Based XSS. This issue affects Eventbee RSVP Widget: from n/a through 1.0.
Title WordPress Eventbee RSVP Widget plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:59:15.055Z

Reserved: 2025-04-01T13:20:41.854Z

Link: CVE-2025-31838

cve-icon Vulnrichment

Updated: 2025-04-01T18:34:53.704Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:24.430

Modified: 2026-04-23T15:28:23.470

Link: CVE-2025-31838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:00:06Z

Weaknesses