The WordPress Events Calendar Registration & Tickets plugin does not properly neutralize user input before embedding it into generated web pages. Based on the description, the attacker can supply crafted data—such as URL parameters or form fields—that the plugin reflects back to the browser, allowing malicious scripts to execute. This reflected XSS can lead to session hijacking, cookie theft, site defacement, or other client‑side attacks depending on the attacker’s objectives. The impact is a compromise of client data and the ability to inject and run arbitrary code within victim browsers.

The plugin "WordPress Events Calendar Registration & Tickets" by elbisnero (wpeventplus) is affected. All releases through version 2.6.0 are vulnerable; newer releases are not listed as affected, and no specific patched version is mentioned in the CVE data.

The CVSS score of 7.1 classifies this vulnerability as medium‑high severity, while the EPSS score of less than 1% indicates a low, but non‑zero, likelihood of exploitation in the wild. It is not currently listed in CISA’s KEV catalog. Exploitation requires only a crafted web request that a victim’s browser may load, with no special credentials needed. Consequently, sites using the vulnerable plugin face a notable risk, particularly when users can be directed to URLs or input fields with malicious content.