Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12.
AnalysisAI
Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a persistent issue in WordPress plugin development where user-controlled input from URL parameters or form fields is reflected into HTML responses without proper sanitization or output encoding. EventON is a WordPress event calendar plugin used for managing and displaying events on WordPress sites. Reflected XSS occurs when the plugin processes HTTP request parameters and embeds them directly into the generated web page without applying htmlspecialchars(), esc_html(), or equivalent output encoding functions required by WordPress security standards. The vulnerability affects all EventON versions through 4.9.12, indicating a long-standing input validation gap in the plugin's codebase. The changed scope (S:C) in CVSS vector indicates the vulnerable component (EventON plugin) operates under different security authority than the impacted component (user browser/WordPress session), allowing JavaScript execution outside the plugin's intended security boundary.
Affected ProductsAI
WordPress EventON plugin versions from earliest release through version 4.9.12 are confirmed vulnerable. The plugin is developed by ashanjay and distributed through WordPress.org plugin repository and CodeCanyon marketplace. Organizations using EventON for event calendar functionality on WordPress sites should verify installed version via WordPress admin dashboard (Plugins → Installed Plugins) or by checking eventon/eventon.php file header. The vulnerability advisory is documented in Patchstack database (reference: https://patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-reflected-cross-site-scripting-xss-vulnerability) with specific version range confirmation.
RemediationAI
Upgrade EventON plugin to version 4.9.13 or later, which is expected to contain input sanitization fixes for the reflected XSS vulnerability. Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate EventON, and click Update if available. Before upgrading production sites, test in staging environment to verify compatibility with theme and other plugins. Full advisory and patch details are available at Patchstack: https://patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-reflected-cross-site-scripting-xss-vulnerability. If immediate patching is not feasible, implement compensating controls: configure Content Security Policy (CSP) headers with script-src 'self' directive to restrict inline JavaScript execution (note: may break legitimate EventON features requiring inline scripts, test thoroughly); enable WordPress security plugins like Wordfence or Sucuri with virtual patching capabilities to filter malicious XSS payloads at WAF layer; restrict EventON plugin access to trusted administrator roles only via User Role Editor plugin; train users to avoid clicking untrusted links while logged into WordPress admin interface. For high-security environments unable to patch immediately, temporarily disable EventON plugin until update is applied, understanding this removes all event calendar functionality from the site.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today