Based on the description, the vulnerability is an improper neutralization of input during web page generation in the Tockify Events Calendar plugin. Based on the description, an attacker can inject arbitrary JavaScript that runs in the context of a victim’s browser when a page containing the injected payload is rendered. Based on the description, it is inferred that this can lead to session hijacking, credential theft, defacement, or further attacks against the affected user, as reflected in the CWE-79 classification.

The affected product is the Tockify Events Calendar WordPress plugin, version 2.2.13 and earlier. Any WordPress site that has installed or upgraded this plugin to a version older than 2.2.14 is vulnerable.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. Based on the description, because the flaw is DOM‑based XSS, exploitation requires a victim to visit a crafted URL or click a malicious link that contains the injected script; no authentication or server‑side privileges are needed. Based on the description, an attacker could embed the payload by manipulating plugin settings or by tricking a user to open a page containing the manipulated input, enabling client‑side execution of code that can compromise the user’s session or inject further malicious content.