CVE-2025-5144
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-07-10
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stellarwp | the_events_calendar | to 6.13.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in The Events Calendar WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting all versions up to and including 6.13.2. It occurs via the 'data-date-*' parameters due to insufficient input sanitization and output escaping. Authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute whenever any user accesses those pages.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject malicious scripts into the website's pages. These scripts execute in the context of users visiting the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise site security and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'data-date-*' parameters in The Events Calendar WordPress plugin up to version 6.13.2. Detection involves checking if your WordPress site is running a vulnerable version of this plugin and inspecting pages where 'data-date-*' parameters are used for injected scripts. Since the vulnerability requires authenticated users with Contributor-level access or higher to inject scripts, monitoring for unusual script tags or suspicious content in event pages is recommended. Specific commands are not provided in the resources, but general detection steps include: 1) Checking the plugin version installed on your WordPress site (e.g., via WP-CLI: `wp plugin list | grep the-events-calendar`), 2) Searching the database or page source for suspicious script injections in event-related content, 3) Using web vulnerability scanners that detect stored XSS in WordPress plugins. No explicit commands for detection are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating The Events Calendar plugin to a version later than 6.13.2, as the vulnerability affects all versions up to and including 6.13.2. The changeset for version 6.13.2.1 includes extensive modifications likely addressing this and other issues. Until an update can be applied, restrict Contributor-level and higher user permissions to trusted users only to reduce the risk of exploitation. Additionally, consider implementing Web Application Firewall (WAF) rules to block suspicious input in 'data-date-*' parameters. No specific mitigation commands are provided in the resources. [1]