Skip to main content

Wpevently CVE-2026-25361

| EUVDEUVD-2026-15685 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15685
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affecting versions up to and including 5.1.4, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No CVSS score or EPSS data is currently available, but the Patchstack reporting and EUVD tracking indicate this is a documented and confirmed vulnerability requiring prompt patching.

Technical ContextAI

The WpEvently plugin (identified via CPE cpe:2.3:a:magepeopleteam:wpevently:*:*:*:*:*:*:*:*) is a WordPress event management plugin that processes user input for display on web pages. The vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when untrusted user-supplied data is directly reflected back to the client without proper HTML encoding, entity escaping, or output sanitization. In WordPress contexts, this typically manifests when query parameters, form inputs, or URL fragments are echoed in HTML responses without using proper WordPress sanitization functions such as sanitize_text_field(), wp_kses(), or esc_html(). The reflected nature indicates the malicious payload must be delivered via a crafted URL, making it dependent on social engineering or phishing to trick users into clicking the link.

RemediationAI

WordPress site administrators using the WpEvently plugin should immediately upgrade to a version newer than 5.1.4, ensuring the latest patched release is deployed. Check the official WpEvently plugin page on wordpress.org or the vendor's repository at Patchstack (https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-4-reflected-cross-site-scripting-xss-vulnerability) for the specific patched version number. As a temporary mitigation while patching is unavailable, enforce strict Content Security Policy (CSP) headers at the WordPress level using plugins like Wordfence or Shield to block inline script execution and restrict script sources to trusted domains only. Additionally, limit access to event-related pages to authenticated users where possible, monitor for suspicious query parameters in web server logs, and educate users not to click links from untrusted sources pointing to event pages.

Share

CVE-2026-25361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy