Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The EventON plugin for WordPress includes an improper neutralization of input that permits reflected cross‑site scripting. An attacker can craft a payload that is reflected by the plugin into a web page, enabling the execution of arbitrary JavaScript in the victim's browser. This flaw allows an attacker to hijack user sessions, steal cookies, deface the site, and potentially redirect users to malicious sites.

Affected Systems

The vulnerability affects the EventON plugin developed by ashanjay, versions from the earliest releases through 4.9.12 inclusive. All installations of these versions deployed on WordPress sites are potentially exposed unless the plugin is removed or upgraded.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is less than 1%, indicating a very low probability that the vulnerability will be exploited in the near term. The plugin is not listed in the CISA KEV catalog. The likely attack vector is through crafted input parameters that are echoed by the plugin in the generated HTML response. Successful exploitation requires user interaction, such as clicking a malicious link or visiting a page that contains the crafted query parameters.

Generated by OpenCVE AI on April 15, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EventON to version 4.9.13 or later.
  • If updating is not possible, disable or remove the EventON plugin from the WordPress installation.
  • Monitor site traffic for malicious URLs that include suspicious query parameters and block them if detected.

Generated by OpenCVE AI on April 15, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ashanjay
Ashanjay eventon
Wordpress
Wordpress wordpress
Vendors & Products Ashanjay
Ashanjay eventon
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12.
Title WordPress EventON plugin <= 4.9.12 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ashanjay Eventon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:29.690Z

Reserved: 2026-02-25T12:13:25.489Z

Link: CVE-2026-28037

cve-icon Vulnrichment

Updated: 2026-03-06T12:18:51.031Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:36.613

Modified: 2026-03-06T13:16:04.140

Link: CVE-2026-28037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses