CVE-2025-9850
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-09-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| evenium | wordpress_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Evenium WordPress plugin, specifically in the 'evenium_single_event' shortcode. It occurs because the plugin does not properly sanitize or escape user-supplied attributes. Authenticated users with contributor-level access or higher can inject malicious scripts into pages via this shortcode. These scripts then execute whenever any user views the infected page, potentially compromising user data or site integrity. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access to inject arbitrary JavaScript into pages, which executes in the context of users visiting those pages. This can lead to theft of session tokens, defacement, unauthorized actions performed on behalf of users, or other malicious activities. Because the injected scripts run in users' browsers, it can compromise user accounts and site security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the Evenium WordPress plugin version 1.3.11 or earlier and checking for usage of the 'evenium_single_event' shortcode that may contain malicious script injections. On the system, you can search for the plugin files and version by running commands like 'grep -r evenium_single_event /path/to/wordpress/wp-content/plugins/evenium' or checking the plugin version in the plugin directory. On the network, monitoring HTTP responses for script tags loading 'https://evenium.net/ng/js/widgets/web-widget.js' with suspicious or malformed URL parameters (especially those containing session tokens or injected scripts) can help detect exploitation attempts. Example commands include: 1) On the server: `grep -r 'evenium_single_event' /var/www/html/wp-content/plugins/evenium` 2) Using curl or wget to fetch pages and grep for the widget script: `curl -s https://yourwordpresssite.com/page | grep 'evenium.net/ng/js/widgets/web-widget.js'` 3) Network traffic inspection with tools like Wireshark or tcpdump filtering for requests to 'evenium.net' and analyzing query parameters for anomalies. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Evenium plugin to a version later than 1.3.11 if available, where the vulnerability is fixed. 2) If an update is not available, temporarily disabling or removing the Evenium plugin to prevent exploitation. 3) Restricting contributor-level and above users from adding or editing content that uses the 'evenium_single_event' shortcode until the issue is resolved. 4) Implementing Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the shortcode parameters. 5) Reviewing and sanitizing any existing content that uses the vulnerable shortcode to remove injected scripts. These steps reduce the risk of stored XSS attacks via the plugin's shortcode. [1]