CVE-2025-12976
Unknown Unknown - Not Provided
Stored XSS in Events Manager WordPress Plugin Allows Script Injection

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Wordfence

Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12976
EUVD
EUVD-2025-204249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress events_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with contributor-level access to inject arbitrary scripts via stored Cross-Site Scripting (XSS) in pages using the 'events_list_grouped' shortcode. This could lead to unauthorized access or manipulation of user data when other users view the injected pages. Such unauthorized data exposure or manipulation could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal data against unauthorized access and ensuring data integrity. Therefore, this vulnerability may negatively impact compliance with these standards by exposing personal or sensitive data to attackers through script injection. [6]

Executive Summary

CVE-2025-12976 is a Stored Cross-Site Scripting (XSS) vulnerability in the Events Manager WordPress plugin, specifically via the 'events_list_grouped' shortcode. The vulnerability arises because the plugin does not sufficiently sanitize or escape user-supplied attributes in this shortcode. Authenticated users with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the affected page, potentially compromising site security. [6]

Impact Analysis

This vulnerability allows authenticated users with contributor-level or higher privileges to inject malicious scripts into pages via the 'events_list_grouped' shortcode. When other users visit these pages, the injected scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the injected script's intent. It compromises the integrity and security of the website and its users. [6]

Detection Guidance

Detection of this vulnerability involves identifying if the Events Manager plugin for WordPress is installed and running a vulnerable version (up to and including 7.2.2.1). Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'events_list_grouped' shortcode, detection can include: 1. Checking the plugin version installed on your WordPress site. 2. Searching for usage of the 'events_list_grouped' shortcode in posts or pages. 3. Looking for suspicious or unexpected script injections in pages that use this shortcode, especially from users with contributor-level access or higher. There are no specific network commands provided in the resources, but you can use WordPress CLI commands to check plugin versions and search content. Example commands: - To check the plugin version: `wp plugin get events-manager --field=version` - To search for the shortcode usage in posts: `wp post list --post_type=page,post --format=ids | xargs -I % wp post get % --field=post_content | grep '\[events_list_grouped'` - To scan for suspicious script tags in content: `wp post list --post_type=page,post --format=ids | xargs -I % wp post get % --field=post_content | grep '<script'` These commands help identify if the vulnerable shortcode is used and if there is any injected script content. Manual review of user inputs and event pages is also recommended to detect exploitation. [6]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Events Manager plugin to a version later than 7.2.2.1 where the vulnerability is fixed. 2. Restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit. 3. Review and sanitize any existing content using the 'events_list_grouped' shortcode to remove any injected scripts. 4. Disable or limit usage of the 'events_list_grouped' shortcode until the plugin is updated. 5. Follow best practices for input sanitization and output escaping in WordPress, and consider applying additional security plugins or Web Application Firewalls (WAF) to detect and block XSS attempts. The plugin itself attempts to sanitize shortcode parameters using WordPress's wp_kses() function, but the vulnerability arises from insufficient sanitization in some shortcode attributes, so updating the plugin is critical. [6]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart