Skip to main content

EventON CVE-2026-28037

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 01:06 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12.

AnalysisAI

Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a persistent issue in WordPress plugin development where user-controlled input from URL parameters or form fields is reflected into HTML responses without proper sanitization or output encoding. EventON is a WordPress event calendar plugin used for managing and displaying events on WordPress sites. Reflected XSS occurs when the plugin processes HTTP request parameters and embeds them directly into the generated web page without applying htmlspecialchars(), esc_html(), or equivalent output encoding functions required by WordPress security standards. The vulnerability affects all EventON versions through 4.9.12, indicating a long-standing input validation gap in the plugin's codebase. The changed scope (S:C) in CVSS vector indicates the vulnerable component (EventON plugin) operates under different security authority than the impacted component (user browser/WordPress session), allowing JavaScript execution outside the plugin's intended security boundary.

Affected ProductsAI

WordPress EventON plugin versions from earliest release through version 4.9.12 are confirmed vulnerable. The plugin is developed by ashanjay and distributed through WordPress.org plugin repository and CodeCanyon marketplace. Organizations using EventON for event calendar functionality on WordPress sites should verify installed version via WordPress admin dashboard (Plugins → Installed Plugins) or by checking eventon/eventon.php file header. The vulnerability advisory is documented in Patchstack database (reference: https://patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-reflected-cross-site-scripting-xss-vulnerability) with specific version range confirmation.

RemediationAI

Upgrade EventON plugin to version 4.9.13 or later, which is expected to contain input sanitization fixes for the reflected XSS vulnerability. Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate EventON, and click Update if available. Before upgrading production sites, test in staging environment to verify compatibility with theme and other plugins. Full advisory and patch details are available at Patchstack: https://patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-reflected-cross-site-scripting-xss-vulnerability. If immediate patching is not feasible, implement compensating controls: configure Content Security Policy (CSP) headers with script-src 'self' directive to restrict inline JavaScript execution (note: may break legitimate EventON features requiring inline scripts, test thoroughly); enable WordPress security plugins like Wordfence or Sucuri with virtual patching capabilities to filter malicious XSS payloads at WAF layer; restrict EventON plugin access to trusted administrator roles only via User Role Editor plugin; train users to avoid clicking untrusted links while logged into WordPress admin interface. For high-security environments unable to patch immediately, temporarily disable EventON plugin until update is applied, understanding this removes all event calendar functionality from the site.

Share

CVE-2026-28037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy