Impact
Improper neutralization of user input during web page generation in the Atte Moisio AM Events WordPress plugin leads to stored cross‑site scripting. An attacker can inject HTML or JavaScript that will execute when a visitor loads a page or post created or edited through the plugin, potentially compromising confidentiality, integrity, or availability of the site. This is a classic input validation weakness identified as CWE‑79.
Affected Systems
The vulnerability affects the AM Events plugin for WordPress released by Atte Moisio, specifically versions up through and including 1.13.1. Later versions are presumed to contain the fix. No other vendors or products are listed.
Risk and Exploitability
The vulnerability has a CVSS score of 5.9, indicating a medium level of severity, and an EPSS score of less than 1 %, suggesting that exploitation is unlikely but not impossible. The issue is not listed in the CISA KEV catalog. An attacker would need the ability to create or edit content via the plugin; this requirement is inferred, as the CVE description does not specify attacker privileges directly.
OpenCVE Enrichment