Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Default configuration needs a subscriber-level account (PR:L), stored payload runs without victim interaction (UI:N) and crosses into another security context (S:C); XSS yields Low C/I and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.
AnalysisAI
Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two distinct paths exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) reflects the worst-case path where the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) is enabled, permitting unauthenticated front-end submission - that is what justifies PR:N and the scope change (S:C) typical of stored XSS crossing into the admin/viewer context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a site where Guest Submissions is enabled, an unauthenticated attacker opens the public event-submission form and creates an event type with a JavaScript payload placed in the background-color field; when an administrator or visitor later loads a page rendering that event type, the script executes in their session. If Guest Submissions is disabled, an attacker first registers or obtains a subscriber-level account, then performs the same injection. … |
| Remediation | No vendor-released patch version is identified in the provided data (all versions through 4.3.4.2 are vulnerable and no fixed release number is stated), so the primary action is to update EventPrime to the latest available release above 4.3.4.2 as published on the WordPress plugin repository and to consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2abd400b-c633-4b38-ad3e-c9ce602ff07f?source=cve) for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for EventPrime plugin version 4.3.4.2 or earlier and inspect event-type configurations for suspicious entries in the 'new_event_type_background_color' field. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42559
GHSA-566f-2h7m-xrh3