Improper neutralization of input during web page generation allows the CP Multi View Event Calendar plugin to store and subsequently render malicious scripts. This stored cross‑site scripting can execute in the browser context of any user visiting the affected page, potentially leading to session hijacking, defacement, or disclosure of sensitive data. The weakness is identified as CWE‑79 and carries a CVSS base score of 6.5, indicating a moderate effect on confidentiality, integrity, and availability.

The vulnerability affects the WordPress CP Multi View Event Calendar plugin from unspecified initial versions through version 1.4.36. Users running any released build up to and including 1.4.36 are impacted. No further version detail is provided, but the issue is tied to the plugin supplied by codepeople.

With a CVSS score of 6.5, the potential damage is moderate, and the EPSS score of < 1% indicates a very low exploitation probability, while still being listed as non‑KEV. The exploit vector is inferred to be a stored XSS attack that likely requires access to an account capable of creating or editing calendar events, where malicious input can be injected and later served to other visitors. An attacker could inject script into event descriptions or titles, causing harmful actions when viewed.