Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through <= 1.4.35.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the CodePeople CP Multi View Event Calendar WordPress plugin through version 1.4.35, allowing authenticated or unauthenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site visitors. This CWE-79 vulnerability enables attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of administrators. While no CVSS score or EPSS data are currently published and the vulnerability has not been designated as actively exploited in CISA's KEV catalog, the nature of stored XSS combined with the plugin's event calendar functionality-which typically accepts user input for event creation and editing-indicates a credible attack surface.
Technical ContextAI
The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CP Multi View Event Calendar plugin (identified via CPE cpe:2.3:a:codepeople:cp_multi_view_event_calendar:*:*:*:*:*:*:*:*) is a WordPress plugin that handles event calendar functionality, likely processing event titles, descriptions, and metadata without sufficient input validation or output encoding. The stored nature of this XSS indicates the malicious payload is retained in the WordPress database, making it a persistent threat that affects all users viewing the calendar rather than just a single victim. This distinguishes it from reflected XSS and increases its severity in multi-user WordPress environments.
RemediationAI
Immediately upgrade the CP Multi View Event Calendar plugin to a version newer than 1.4.35; check the Patchstack advisory and the plugin's official WordPress.org repository for the patched version release. If immediate patching is not feasible, disable the plugin temporarily or restrict access to the calendar functionality via WordPress user role permissions until a patch is deployed. As an additional layer of defense, implement Web Application Firewall (WAF) rules to block common XSS payload patterns in POST requests to the plugin's calendar endpoints, and ensure all WordPress user accounts enforce strong passwords to prevent account takeover attacks. Monitor the Patchstack database (https://patchstack.com/) for the release announcement of a patched version specific to this CVE.
More in Cp Multi View Event Calendar
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15750
GHSA-h7vm-897g-cq7h