Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes Import Social Events import-facebook-events allows Stored XSS.This issue affects Import Social Events: from n/a through <= 1.8.5.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Import Social Events plugin (up to version 1.8.5) contains a stored cross‑site scripting flaw that allows an attacker to inject malicious scripts into content that is later rendered in the website’s pages. This weakness permits the execution of arbitrary client‑side code in the browsers of users who view affected pages, potentially leading to session hijacking, defacement, or the spread of malware. The vulnerability is identified as CWE‑79, which indicates improper input sanitization when generating web pages.

Affected Systems

WordPress sites that have installed Xylus Themes Import Social Events plugin version 1.8.5 or earlier are affected. The vulnerability exists in all editions of the plugin distributed through the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 6.5 places the flaw in the medium severity range, while the EPSS score of less than 1% suggests that exploitation is presently unlikely but not impossible. The plugin does not appear in the CISA KEV catalog, reducing the immediate threat perception from a national supply‑chain standpoint. The likely attack path involves using the event import feature to submit content that contains unsanitized script tags; the malicious payload is then stored and later rendered in the website’s front‑end. Successful exploitation would require the attacker to procure a site that runs the vulnerable plugin, but no known remote exploitation vector is documented in the advisory.

Generated by OpenCVE AI on April 30, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Import Social Events plugin to a version newer than 1.8.5, or remove the plugin entirely if no patch is available.
  • If an immediate update is not possible, disable the event import functionality or restrict it to trusted administrators only.
  • Sanitize or delete any existing event data that may contain malicious scripts to remove stored payloads.

Generated by OpenCVE AI on April 30, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28175 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes Import Social Events allows Stored XSS. This issue affects Import Social Events: from n/a through 1.8.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes Import Social Events allows Stored XSS. This issue affects Import Social Events: from n/a through 1.8.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes Import Social Events import-facebook-events allows Stored XSS.This issue affects Import Social Events: from n/a through <= 1.8.5.
Title WordPress Import Social Events <= 1.8.5 - Cross Site Scripting (XSS) Vulnerability WordPress Import Social Events plugin <= 1.8.5 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 29 May 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Xylusthemes
Xylusthemes import Social Events
CPEs cpe:2.3:a:xylusthemes:import_social_events:*:*:*:*:*:wordpress:*:*
Vendors & Products Xylusthemes
Xylusthemes import Social Events

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes Import Social Events allows Stored XSS. This issue affects Import Social Events: from n/a through 1.8.5.
Title WordPress Import Social Events <= 1.8.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Xylusthemes Import Social Events
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.288Z

Reserved: 2025-05-19T14:13:09.842Z

Link: CVE-2025-48256

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:15.248Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:28.587

Modified: 2026-04-23T15:30:58.687

Link: CVE-2025-48256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:00:14Z

Weaknesses