Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Stored XSS.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.9.
Published: 2025-06-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Improper Neutralization of Input During Web Page Generation weakness that allows stored XSS. An attacker who can inject malicious code into the plugin’s data store can later cause that code to execute in the browsers of any user who views the affected page. This can lead to information theft, session hijacking, or delivery of further malware, all without the need for a separate exploit. The weakness is identified as CWE‑79.

Affected Systems

The affected product is the CoolHappy The Events Calendar Countdown Addon used in WordPress sites. Any installation of the addon with a version up to and including 1.4.9 is vulnerable; earlier releases are also listed as affected. Site administrators should audit their plugins to determine which versions they are running.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score shows a probability of exploitation of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Given the stored‑XSS nature, an attacker would have to supply input that is stored by the plugin, but once stored, the code executes for all page viewers. The risk is moderate with low likelihood based on current exploitation data.

Generated by OpenCVE AI on April 30, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the The Events Calendar Countdown Addon to a version newer than 1.4.9 once it becomes available.
  • If a newer version is not yet released, temporarily deactivate the plugin until a fix is published.
  • Manually review existing event entries and remove any suspicious script content that may have been stored by the attacker.
  • Deploy a Web Application Firewall rule to block typical XSS payloads submitted through event fields.

Generated by OpenCVE AI on April 30, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17257 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Stored XSS.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.9.
Title WordPress The Events Calendar Countdown Addon <= 1.4.9 - Cross Site Scripting (XSS) Vulnerability WordPress The Events Calendar Countdown Addon plugin <= 1.4.9 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.
Title WordPress The Events Calendar Countdown Addon <= 1.4.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.789Z

Reserved: 2025-06-04T09:42:00.390Z

Link: CVE-2025-49311

cve-icon Vulnrichment

Updated: 2025-06-06T15:38:44.282Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:47.070

Modified: 2026-04-23T15:31:26.560

Link: CVE-2025-49311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:45:21Z

Weaknesses