Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events simple-wp-events allows Stored XSS.This issue affects Simple WP Events: from n/a through <= 1.8.17.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple WP Events plugin contains a stored cross‑site scripting flaw that allows an attacker to embed and persist malicious scripts in event content. If an attacker successfully injects code, any visitor who renders the compromised event will execute that code in the context of the site, potentially hijacking sessions, defacing content, or injecting further malware. The vulnerability is categorized as CWE‑79.

Affected Systems

WPMinds Simple WP Events plugin versions up to and including 1.8.17 are impacted. Any installation running one of these versions should be treated as vulnerable until it is upgraded.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is considered moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not currently listed in the CISA KEV database. Based on the description, exploitation likely requires the ability to create or edit event content; this is inferred to mean that an authenticated attacker with such privileges could place the XSS payload. Once stored, the script executes for all viewers of the event. The overall risk is therefore moderate, but the potential impact on user accounts and site integrity warrants timely action.

Generated by OpenCVE AI on May 1, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple WP Events plugin to the latest version that removes the XSS flaw.
  • If an upgrade is not immediately possible, restrict event creation and editing to users with high‑trust permissions and remove or escape any HTML markup or script tags from event content before display.
  • Implement a content‑security‑policy that blocks execution of inline scripts and disallows the loading of external script resources from untrusted origins.
  • Periodically audit the site’s event content for suspicious or embedded script references.

Generated by OpenCVE AI on May 1, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9820 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events allows Stored XSS. This issue affects Simple WP Events: from n/a through 1.8.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events allows Stored XSS. This issue affects Simple WP Events: from n/a through 1.8.17. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events simple-wp-events allows Stored XSS.This issue affects Simple WP Events: from n/a through <= 1.8.17.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMinds Simple WP Events allows Stored XSS. This issue affects Simple WP Events: from n/a through 1.8.17.
Title WordPress Simple WP Events plugin <= 1.8.17 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.695Z

Reserved: 2025-04-04T10:01:28.632Z

Link: CVE-2025-32193

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:16.965Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:29.343

Modified: 2026-04-23T15:28:43.987

Link: CVE-2025-32193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses