Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Event Post themify-event-post allows Stored XSS.This issue affects Themify Event Post: from n/a through <= 1.3.4.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Themify Event Post WordPress plugin (versions up to 1.3.4) that allows authenticated users with low privileges to inject malicious scripts into web pages, which are then executed in the browsers of other site visitors. An attacker with login credentials can craft malicious input that persists in the database and affects all users viewing affected pages, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk.
Technical ContextAI
The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a Stored XSS flaw where the Themify Event Post plugin fails to properly sanitize and escape user-supplied input before storing it in the database and rendering it in HTML contexts. The affected product is identified via CPE as the themifyme Themify Event Post plugin, which is a WordPress extension for managing event post content. The plugin does not implement adequate input validation or output encoding mechanisms, allowing attackers to inject arbitrary JavaScript code that executes with the privileges of the affected WordPress installation. This is distinct from Reflected XSS because the malicious payload persists in the database, making it a more severe attack vector.
RemediationAI
Upgrade the Themify Event Post plugin to a version later than 1.3.4 as soon as a patch is available from the plugin vendor. Site administrators should verify the latest patched version through the WordPress plugin repository or the official Themify website and apply the update immediately. As an interim mitigation pending patch availability, restrict user roles with content creation or editing capabilities to only trusted administrators, disable the plugin if not actively required, and implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in HTTP requests. Additionally, audit existing event posts for injected malicious content and consider implementing Content Security Policy (CSP) headers to limit the damage of any successful XSS attacks.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11997