Description
The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting accessible to authenticated contributors and above
Action: Patch Immediately
AI Analysis

Impact

The Event Tickets, RSVPs, Calendar plugin for WordPress contains an input validation flaw that allows an authenticated user with contributor privileges or higher to inject arbitrary JavaScript into pages using the plugin’s ‘ticket_spot’ shortcode. The injected script is stored within the post or page content and will execute automatically whenever any user visits the impacted page, potentially enabling credential theft, session hijacking, defacement, or data exfiltration. The weakness is a classic stored cross‑site scripting flaw, classified as CWE‑79.

Affected Systems

The vulnerability affects the TicketSpot Event Tickets, RSVPs, Calendar plugin for WordPress in all versions up to and including 1.0.2. Sites running any of those releases are impacted, regardless of the number of websites or WordPress installations they host.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, but the EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low but non‑zero probability of exploitation. Because the attack requires authenticated contributor access, it is a local privilege escalating risk rather than a remote exploit. If an attacker gains a contributor account, they can inject scripts that will affect every subsequent visitor of the affected page, thereby creating a widespread impact within the site’s user base.

Generated by OpenCVE AI on April 21, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TicketSpot Event Tickets, RSVPs, Calendar plugin to the latest version (≥ 1.0.3) where input sanitization is fixed.
  • If an update is unavailable, disable the ‘ticket_spot’ shortcode on all posts and pages or remove it entirely from the site.
  • Apply a content filter that escapes all output of the plugin’s attributes to prevent execution of injected scripts.

Generated by OpenCVE AI on April 21, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32278 The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ticketspot
Ticketspot event Tickets
Wordpress
Wordpress wordpress
Vendors & Products Ticketspot
Ticketspot event Tickets
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Event Tickets, RSVPs, Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ticketspot Event Tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:10.012Z

Reserved: 2025-09-02T21:18:52.488Z

Link: CVE-2025-9875

cve-icon Vulnrichment

Updated: 2025-10-03T18:05:03.359Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:49.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses