The WP Event Aggregator plugin for WordPress is vulnerable to stored cross‑site scripting due to insufficient sanitization of attributes passed to the 'wp_events' shortcode. An attacker with Contributor or higher privileges can inject arbitrary JavaScript into posts or pages. This script will execute for any visitor to the affected content, compromising confidentiality and potentially allowing further attacks such as cookie theft, session hijacking, or defacement.

WordPress sites running the WP Event Aggregator plugin versions 1.8.7 or earlier, all of which are distributed by Xylus. All users with Contributor‑level or higher access can exploit the flaw. The vulnerability exists across all configurations of the shortcode that accept user‑supplied attributes.

The CVSS score of 6.4 indicates a moderate severity. With an EPSS score of less than 1 %, the probability of exploitation is low, and the vulnerability is not catalogued in the CISA KEV list. The likely attack vector is an authenticated Contributor using the 'wp_events' shortcode to store malicious attributes. Because exploitation requires authenticated access with Contributor permission, attackers must first gain or possess legitimate user credentials. The stored nature of the flaw means that once injected, the malicious code will persist in the database and affect all subsequent page loads for all users until the plugin is disabled or the attributes are correctly sanitized. At present, no vendor‑supplied update resolves the issue, so administrators must mitigate by disabling the plugin or filtering input. The impact is primarily the execution of arbitrary client‑side code, which can lead to phishing, data exfiltration, or further server‑side compromise via social engineering.