Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-07-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS causing arbitrary script execution in victim browsers
Action: Patch Update
AI Analysis

Impact

This vulnerability is a reflected Cross‑Site Scripting flaw that is triggered by the 'calendar_header' parameter in the Events Manager plugin. The input is not properly sanitized or escaped, so an attacker can embed malicious JavaScript in the URL or form data. If a user visits the crafted link, the script runs in the context of the WordPress site and can execute arbitrary client‑side code.

Affected Systems

All installations of the Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress up to and including version 7.0.3 are vulnerable. The issue originates in the plugin code that outputs the calendar_header value without filtering, regardless of user role, meaning any site running a vulnerable version is impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while the EPSS score of < 1% signals a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote, unauthenticated attacker crafting a malicious link that convinces a victim to click on it; no additional privileges are required beyond the victim’s visit.

Generated by OpenCVE AI on April 21, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Events Manager plugin to a version newer than 7.0.3, which contains the fixed implementation of the calendar_header parameter.
  • Configure a web application firewall or security plugin to block or sanitize any input that matches the calendar_header query parameter, preventing XSS payloads from reaching the page.
  • Implement a Content Security Policy that restricts script execution to trusted sources, limiting the impact of any residual reflected XSS vectors.

Generated by OpenCVE AI on April 21, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20876 The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00082}

 epss

{'score': 0.00089}

Fri, 11 Jul 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Pixelite
Pixelite events Manager
CPEs cpe:2.3:a:pixelite:events_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Pixelite
Pixelite events Manager

Thu, 10 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Jul 2025 22:30:00 +0000

Type Values Removed Values Added
Description The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Pixelite Events Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:33.177Z

Reserved: 2025-07-01T13:35:27.266Z

Link: CVE-2025-6975

cve-icon Vulnrichment

Updated: 2025-07-10T13:09:58.396Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-09T23:15:24.883

Modified: 2025-07-11T17:27:10.577

Link: CVE-2025-6975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses