Skip to main content

Cp Multi View Event Calendar EUVDEUVD-2026-15750

| CVE-2026-25465 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-h7vm-897g-cq7h
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15750
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through <= 1.4.35.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the CodePeople CP Multi View Event Calendar WordPress plugin through version 1.4.35, allowing authenticated or unauthenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site visitors. This CWE-79 vulnerability enables attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of administrators. While no CVSS score or EPSS data are currently published and the vulnerability has not been designated as actively exploited in CISA's KEV catalog, the nature of stored XSS combined with the plugin's event calendar functionality-which typically accepts user input for event creation and editing-indicates a credible attack surface.

Technical ContextAI

The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CP Multi View Event Calendar plugin (identified via CPE cpe:2.3:a:codepeople:cp_multi_view_event_calendar:*:*:*:*:*:*:*:*) is a WordPress plugin that handles event calendar functionality, likely processing event titles, descriptions, and metadata without sufficient input validation or output encoding. The stored nature of this XSS indicates the malicious payload is retained in the WordPress database, making it a persistent threat that affects all users viewing the calendar rather than just a single victim. This distinguishes it from reflected XSS and increases its severity in multi-user WordPress environments.

RemediationAI

Immediately upgrade the CP Multi View Event Calendar plugin to a version newer than 1.4.35; check the Patchstack advisory and the plugin's official WordPress.org repository for the patched version release. If immediate patching is not feasible, disable the plugin temporarily or restrict access to the calendar functionality via WordPress user role permissions until a patch is deployed. As an additional layer of defense, implement Web Application Firewall (WAF) rules to block common XSS payload patterns in POST requests to the plugin's calendar endpoints, and ensure all WordPress user accounts enforce strong passwords to prevent account takeover attacks. Monitor the Patchstack database (https://patchstack.com/) for the release announcement of a patched version specific to this CVE.

Share

EUVD-2026-15750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy