CVE-2025-49311
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Stored XSS.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49311
EUVD
EUVD-2025-17257
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-49311 is a Cross Site Scripting (XSS) vulnerability in the WordPress plugin 'The Events Calendar Countdown Addon' up to version 1.4.9. It allows a malicious user with Contributor-level privileges to inject malicious scripts such as redirects, advertisements, or other HTML payloads into the website. These scripts execute when visitors access the site, potentially compromising user interactions or site integrity. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or other harmful HTML content. This can degrade user trust, harm your website's reputation, and potentially lead to further exploitation. Although the severity is considered low (CVSS 6.5), attackers might still attempt opportunistic automated attacks. If your site is compromised, professional incident response or server-side malware scanning is recommended. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if your WordPress site is running The Events Calendar Countdown Addon plugin version 1.4.9 or earlier. Since the vulnerability allows stored XSS via Contributor-level user input, you can look for suspicious script injections in the plugin's input fields or stored content. There are no specific commands provided for detection, but you can audit plugin versions using WP-CLI with the command: `wp plugin list` to verify the installed version. Additionally, server-side malware scanning or professional incident response is recommended if compromise is suspected. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update The Events Calendar Countdown Addon plugin to version 1.4.10 or later, where the vulnerability is fixed. If updating immediately is not possible, applying virtual patching (vPatching) provided by Patchstack can help auto-mitigate the vulnerability. Users should also restrict Contributor-level privileges carefully and consider professional incident response or server-side malware scanning if a site compromise is suspected. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart