Impact
The Event Organiser plugin for WordPress contains a stored cross‑site scripting flaw. The 'eo_events' shortcode accepts a 'no_events' parameter that can include arbitrary HTML and JavaScript; the plugin renders this content in event list templates without escaping. Authenticated users with Contributor or higher permissions can inject scripts that will be executed whenever any user visits a page that displays the injected content, enabling attacks such as cookie theft, session hijacking, or site defacement.
Affected Systems
This issue affects all WordPress sites running Event Organiser version 3.12.9 or earlier, the latest patch removes the vulnerability. All users of the stephenharris:Event Organiser plugin should verify their installed version and plan an upgrade.
Risk and Exploitability
The vulnerability has a CVSS score of 6.4, indicating medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated Contributor or higher role and access to the event editing interface. Once injected, malicious scripts execute in the context of any visitor to the affected page, providing opportunity for credential theft or persistent exploitation.
OpenCVE Enrichment