Skip to main content

EventPrime CVE-2026-13441

| EUVDEUVD-2026-42559 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-566f-2h7m-xrh3
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Default configuration needs a subscriber-level account (PR:L), stored payload runs without victim interaction (UI:N) and crosses into another security context (S:C); XSS yields Low C/I and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:32 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
HIGH 7.2

DescriptionCVE.org

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.

AnalysisAI

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access event-type submission form (guest or subscriber)
Delivery
Submit crafted new_event_type_background_color payload
Exploit
Store XSS in event type record
Execution
Victim loads page rendering event type
Impact
Script executes in victim browser context

Vulnerability AssessmentAI

Exploitation Two distinct paths exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) reflects the worst-case path where the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) is enabled, permitting unauthenticated front-end submission - that is what justifies PR:N and the scope change (S:C) typical of stored XSS crossing into the admin/viewer context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a site where Guest Submissions is enabled, an unauthenticated attacker opens the public event-submission form and creates an event type with a JavaScript payload placed in the background-color field; when an administrator or visitor later loads a page rendering that event type, the script executes in their session. If Guest Submissions is disabled, an attacker first registers or obtains a subscriber-level account, then performs the same injection. …
Remediation No vendor-released patch version is identified in the provided data (all versions through 4.3.4.2 are vulnerable and no fixed release number is stated), so the primary action is to update EventPrime to the latest available release above 4.3.4.2 as published on the WordPress plugin repository and to consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2abd400b-c633-4b38-ad3e-c9ce602ff07f?source=cve) for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for EventPrime plugin version 4.3.4.2 or earlier and inspect event-type configurations for suspicious entries in the 'new_event_type_background_color' field. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy