Description
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (such as 'organizer_id', 'width', 'height', 'transparency', 'header', 'border', and 'layout') in the org_event_scode() function. The attribute values are concatenated directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Events In City WordPress plugin suffers from a stored cross‑site scripting flaw (CWE-79) in its org_events shortcode. Insufficient input sanitization and output escaping cause attribute values such as organizer_id, width, height, transparency, header, border, and layout to be concatenated directly into HTML attributes without esc_attr(). As a result, an attacker can embed arbitrary JavaScript that will run whenever a user visits a page containing the injected shortcode. The script runs with the permissions of the browsing user, potentially allowing defacement, cookie theft, or other client‑side compromise.

Affected Systems

WordPress sites that install the Events In City plugin in any version through 3.0, inclusive. Site administrators using these plugin versions are affected. The vulnerability exists anywhere the org_events shortcode can be placed, including posts, pages, or widgets.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. Although an EPSS score is not provided, the lack of a KEV listing suggests the vulnerability has not yet been widely exploited publicly. The attack requires an authenticated user with contributor level or higher and the ability to insert or edit content containing the org_events shortcode. Once injected, the XSS payload executes for every visitor who views the affected page, making the vector effectively local but with a broad impact on all site users.

Generated by OpenCVE AI on May 27, 2026 at 08:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Events In City plugin to a version newer than 3.0, where input sanitization for shortcode attributes is corrected.
  • If an upgrade is not immediately possible, remove or restrict the org_events shortcode from user‑editable content or disable the plugin’s ability to process shortcode attributes until a fix is applied.
  • Implement site‑wide content security policies or use a security plugin to block the execution of script tags inserted via user content.
  • Review user roles and ensure only trusted contributors can publish content containing shortcodes, and educate developers that shortcode attributes should always be escaped.

Generated by OpenCVE AI on May 27, 2026 at 08:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Ruchit47
Ruchit47 events In City
Wordpress
Wordpress wordpress
Vendors & Products Ruchit47
Ruchit47 events In City
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (such as 'organizer_id', 'width', 'height', 'transparency', 'header', 'border', and 'layout') in the org_event_scode() function. The attribute values are concatenated directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ruchit47 Events In City
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:36:49.318Z

Reserved: 2026-05-18T21:10:14.369Z

Link: CVE-2026-8898

cve-icon Vulnrichment

Updated: 2026-05-27T10:36:44.743Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:17.963

Modified: 2026-05-27T07:16:17.963

Link: CVE-2026-8898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:25Z

Weaknesses