EUVD-2026-36834
GHSA-jpgx-m7fc-62c2
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Network-reachable XSS exploitable by a Subscriber (PR:L) requires a victim to load the page (UI:R), executes in the victim's origin (S:C), and yields session/data exposure (C:L/I:L) with no availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions.
AnalysisAI
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a valid WordPress Subscriber-or-higher account on a site running the EventPrime plugin at version 4.3.2.1 or earlier, which in practice means the target site either permits open user registration or the attacker has obtained Subscriber credentials by other means. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) yields 7.1 and is unusual for a classic XSS: it asserts no user interaction (UI:N) and a high availability impact (A:H) with no confidentiality impact (C:N), which is inconsistent with how stored/reflected XSS typically manifests - XSS almost always carries some confidentiality impact (session/token theft) and usually requires victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a Subscriber account on a WordPress site running EventPrime <= 4.3.2.1, submits an event field or comment containing a crafted JavaScript payload, and waits for an administrator or other authenticated user to view the affected page in wp-admin or on the front end. The injected script runs in the victim's browser session and can be used to exfiltrate the WordPress auth cookie, issue authenticated requests as the admin (e.g., create a new administrator account), or pivot to plugin/theme code execution. … |
| Remediation | Upstream fix available per the Patchstack advisory; a specific released patched version was not included in the provided data, so administrators should upgrade EventPrime to the latest version published on the WordPress.org plugin repository above 4.3.2.1 and verify the installed version after update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress instances running EventPrime ≤4.3.2.1 and inventory whether Subscriber-level accounts exist on affected sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authen
Share
External POC / Exploit Code
Leaving vuln.today