Impact
The EventPrime plugin for WordPress contains a stored XSS flaw that is present in all releases through version 4.3.2.1. The vulnerability arises when an attacker is able to inject malicious script into fields that are later rendered in subscriber‑viewable pages, causing the script to execute in the context of the victim’s browser. This allows an attacker to hijack sessions, steal cookies, or deface the site, thereby compromising the confidentiality, integrity, and availability of data accessed by subscribers. The weakness is classified as CWE‑79.
Affected Systems
WordPress sites that have installed the EventPrime plugin up to and including version 4.3.2.1 are affected. The plugin, named EventPrime, must be updated to at least version 4.3.2.2 to eliminate the flaw; earlier versions remain vulnerable.
Risk and Exploitability
The vulnerability has a CVSS score of 7.1, indicating a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves the injection of malicious code into subscriber data fields that are displayed to logged‑in users. Successful exploitation requires that a victim interact with a page that contains the tainted data, such as by visiting an event page or a subscriber profile. The risk is thus moderate to high for sites that expose such fields without proper output escaping.
OpenCVE Enrichment