Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through <= 1.4.35.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

Improper neutralization of input during web page generation allows the CP Multi View Event Calendar plugin to store and subsequently render malicious scripts. This stored cross‑site scripting can execute in the browser context of any user visiting the affected page, potentially leading to session hijacking, defacement, or disclosure of sensitive data. The weakness is identified as CWE‑79 and carries a CVSS base score of 6.5, indicating a moderate effect on confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the WordPress CP Multi View Event Calendar plugin from unspecified initial versions through version 1.4.35. Users running any released build up to and including 1.4.35 are impacted. No further version detail is provided, but the issue is tied to the plugin supplied by codepeople.

Risk and Exploitability

With a CVSS score of 6.5, the potential damage is moderate, though the lack of an EPSS score and a non‑KEV listing suggest a lower immediate exploitation probability. The exploit vector is inferred to be a stored XSS attack that likely requires access to an account capable of creating or editing calendar events, where malicious input can be injected and later served to other visitors. An attacker could inject script into event descriptions or titles, causing harmful actions when viewed.

Generated by OpenCVE AI on March 25, 2026 at 23:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CP Multi View Event Calendar plugin to the latest version that resolves the XSS issue.
  • If an update is not yet available, disable or uninstall the plugin until a patch is released.
  • Apply additional input sanitization or use a content security policy to limit script execution.
  • Regularly monitor the vendor’s security advisories for new patches or workarounds.

Generated by OpenCVE AI on March 25, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople cp Multi View Event Calendar
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople cp Multi View Event Calendar
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through <= 1.4.35.
Title WordPress CP Multi View Event Calendar plugin <= 1.4.35 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Codepeople Cp Multi View Event Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:35.739Z

Reserved: 2026-02-02T12:53:59.642Z

Link: CVE-2026-25465

cve-icon Vulnrichment

Updated: 2026-03-25T20:23:00.610Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:52.697

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:37Z

Weaknesses