Event Organiser
Monthly
Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.
Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.