Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affecting versions up to and including 5.1.4, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No CVSS score or EPSS data is currently available, but the Patchstack reporting and EUVD tracking indicate this is a documented and confirmed vulnerability requiring prompt patching.
Technical ContextAI
The WpEvently plugin (identified via CPE cpe:2.3:a:magepeopleteam:wpevently:*:*:*:*:*:*:*:*) is a WordPress event management plugin that processes user input for display on web pages. The vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when untrusted user-supplied data is directly reflected back to the client without proper HTML encoding, entity escaping, or output sanitization. In WordPress contexts, this typically manifests when query parameters, form inputs, or URL fragments are echoed in HTML responses without using proper WordPress sanitization functions such as sanitize_text_field(), wp_kses(), or esc_html(). The reflected nature indicates the malicious payload must be delivered via a crafted URL, making it dependent on social engineering or phishing to trick users into clicking the link.
RemediationAI
WordPress site administrators using the WpEvently plugin should immediately upgrade to a version newer than 5.1.4, ensuring the latest patched release is deployed. Check the official WpEvently plugin page on wordpress.org or the vendor's repository at Patchstack (https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-4-reflected-cross-site-scripting-xss-vulnerability) for the specific patched version number. As a temporary mitigation while patching is unavailable, enforce strict Content Security Policy (CSP) headers at the WordPress level using plugins like Wordfence or Shield to block inline script execution and restrict script sources to trusted domains only. Additionally, limit access to event-related pages to authenticated users where possible, monitor for suspicious query parameters in web server logs, and educate users not to click links from untrusted sources pointing to event pages.
Unauthenticated integrity compromise in the WpEvently WordPress plugin (versions 5.3.3 and earlier) by MagePeople allows
WpEvently versions prior to 5.1.9 inadvertently expose sensitive information in transmitted data, allowing unauthenticat
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. Rated medium severity (CVSS 4.3), this vulnerability
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15685