CVE-2025-11995
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | community_events | 1.5.2 |
| wordpress | community_events | 1.5.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Community Events plugin for WordPress (versions up to and including 1.5.2). It occurs because the plugin does not properly sanitize and escape user input in the event details parameter. This allows unauthenticated attackers to inject malicious scripts into event pages, which then execute in the browsers of users who view those pages. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary JavaScript in the context of the affected website. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware to visitors. Since the attack is stored, the malicious script persists and affects every user who accesses the infected event page, potentially compromising user data and trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the installed version of the Community Events WordPress plugin. If the version is 1.5.2 or earlier, it is vulnerable. There are no specific network commands provided to detect exploitation attempts. To check the plugin version, you can use WordPress CLI commands such as `wp plugin list` to see the installed version of community-events. Additionally, reviewing event details input fields for suspicious script tags in the database or web pages may help identify exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Community Events plugin to version 1.5.3 or later, where the vulnerability has been fixed by properly sanitizing and escaping user input to prevent stored cross-site scripting. If updating is not immediately possible, consider disabling the plugin or restricting access to event creation and editing features to trusted users only. [1]