Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can execute arbitrary scripts in users’ browsers
Action: Patch Immediately
AI Analysis

Impact

The flaw is an improper neutralization of user input during web page generation, enabling reflected cross‑site scripting. An attacker can inject malicious JavaScript that is reflected back to the victim’s browser when a crafted request is executed, allowing the attacker to steal session tokens, deface content, or redirect users to phishing sites.

Affected Systems

Magepeopleteam’s WpEvently "mage‑eventpress" WordPress plugin is affected for all releases from the initial version up through 5.1.4. The vulnerability persists in every installed instance that has not been upgraded beyond 5.1.4.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. Although no EPSS score is publicly available and the flaw is not listed in the CISA KEV catalog, the exploitability is straightforward: an attacker can craft a URL or form submission that triggers the reflected script on any user browsing the site. The attack vector is inferred to be through user‑controlled input in HTTP queries or form data that is directly echoed in the response.

Generated by OpenCVE AI on March 25, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WpEvently plugin to a version newer than 5.1.4 or to the latest release available from Magepeopleteam.
  • If an update cannot be applied immediately, disable or remove the plugin from the WordPress installation until a patch is released.
  • Verify that any future plugins or custom code added to the site properly encode or sanitize all output to prevent similar cross‑site scripting issues.

Generated by OpenCVE AI on March 25, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Magepeopleteam
Magepeopleteam wpevently
Wordpress
Wordpress wordpress
Vendors & Products Magepeopleteam
Magepeopleteam wpevently
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.
Title WordPress WpEvently plugin <= 5.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Magepeopleteam Wpevently
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.162Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25361

cve-icon Vulnrichment

Updated: 2026-03-25T20:05:45.960Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:47.283

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:46Z

Weaknesses