Events Planner CVE-2025-26586
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Events Planner allows Reflected XSS. This issue affects Events Planner: from n/a through 1.3.10.
AnalysisAI
Reflected XSS in Events Planner WordPress plugin versions up to 1.3.10 allows remote attackers to inject malicious scripts via crafted URLs that execute in victims' browsers when clicked. Reported by Patchstack security researchers, the vulnerability requires user interaction (opening a malicious link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
Technical ContextAI
This is a classic reflected cross-site scripting (CWE-79) vulnerability affecting the Events Planner WordPress plugin (wordpress:events-planner per CPE pattern). Reflected XSS occurs when user-supplied input is immediately returned by a web application without proper sanitization or encoding, allowing attackers to inject JavaScript or HTML that executes in the victim's browser. The vulnerability likely exists in parameter handling for event listing, search, or filtering functions where input is echoed back in HTTP responses. The CVSS vector indicates changed scope (S:C), meaning the vulnerable component (the plugin) is distinct from the impacted component (the WordPress site and user sessions), enabling cross-context attacks. WordPress plugins frequently suffer from inadequate input validation when developers fail to use WordPress security APIs like esc_html(), esc_url(), or wp_kses() for output encoding.
Affected ProductsAI
WordPress Events Planner plugin versions from earliest release through 1.3.10 are confirmed vulnerable according to Patchstack advisory. The plugin is identified as wordpress:events-planner in CPE nomenclature. All WordPress installations with this plugin version range are at risk, regardless of WordPress core version. Vendor advisory available at https://patchstack.com/database/wordpress/plugin/events-planner/vulnerability/wordpress-events-planner-plugin-1-3-10-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Update Events Planner plugin to version 1.3.11 or later if available, as Patchstack typically coordinates disclosure with plugin authors who release fixes. Check WordPress admin dashboard under Plugins for available updates, or download directly from wordpress.org/plugins/events-planner. If patched version is not yet released or update is delayed, implement compensating controls: restrict plugin usage to trusted administrators only by removing public-facing event forms; enable WordPress Content Security Policy headers (Content-Security-Policy: script-src 'self') to block inline script execution, though this may break legitimate plugin functionality requiring testing; deploy web application firewall rules to filter common XSS payloads in query parameters and form fields; educate users to avoid clicking untrusted links to the WordPress site. Monitor Patchstack advisory URL for official patch confirmation. Note that disabling the plugin entirely eliminates risk but removes event management functionality. CSP implementation may conflict with other plugins using inline scripts, requiring whitelist adjustments.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today