Description
The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Upgrade
AI Analysis

Impact

The Event RSVP and Simple Event Management Plugin is vulnerable to stored cross‑site scripting in the 'emd_mb_meta' shortcode due to insufficient input sanitization and output escaping of user‑supplied attributes. An authenticated user holding contributor or higher privileges can inject arbitrary scripts that execute whenever a site visitor loads a page containing the shortcode, enabling theft of session cookies, defacement, and other client‑side attacks.

Affected Systems

All installations of the WordPress plugin Event RSVP and Simple Event Management Plugin from the WordPress repository with version numbers up to and including 4.1.0 are affected. The flaw manifests in every iteration of the plugin released in that range regardless of other installed plugins or themes.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate level of risk. The EPSS score of < 1% means that exploitation is expected to be very low in the wild at present, and the vulnerability is not listed in CISA KEV. However, exploitation only requires an authenticated contributor‑level account, which an attacker could obtain through credential compromise or phishing. Once such an account is available, the injected scripts will run in the context of any user viewing the affected page, and while the flaw does not give remote code execution on the server, it poses a significant threat to client‑side data and site integrity.

Generated by OpenCVE AI on April 21, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Event RSVP and Simple Event Management Plugin to a version newer than 4.1.0.
  • If an immediate update is not possible, deactivate the plugin until the fix is released.
  • Limit the number of users with Contributor or higher roles to trusted administrators or remove Contributor privileges from untrusted accounts.

Generated by OpenCVE AI on April 21, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28588 The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00029}

Fri, 11 Jul 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Emarketdesign
Emarketdesign event Rsvp And Simple Event Management
CPEs cpe:2.3:a:emarketdesign:event_rsvp_and_simple_event_management:*:*:*:*:*:wordpress:*:*
Vendors & Products Emarketdesign
Emarketdesign event Rsvp And Simple Event Management

Thu, 26 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Event RSVP and Simple Event Management Plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Emarketdesign Event Rsvp And Simple Event Management
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:16.547Z

Reserved: 2025-06-03T15:50:58.944Z

Link: CVE-2025-5540

cve-icon Vulnrichment

Updated: 2025-06-26T13:26:18.516Z

cve-icon NVD

Status : Modified

Published: 2025-06-26T02:15:21.650

Modified: 2026-04-08T19:24:20.990

Link: CVE-2025-5540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses