CVE-2025-12976
Stored XSS in Events Manager WordPress Plugin Allows Script Injection
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | events_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12976 is a Stored Cross-Site Scripting (XSS) vulnerability in the Events Manager WordPress plugin, specifically via the 'events_list_grouped' shortcode. The vulnerability arises because the plugin does not sufficiently sanitize or escape user-supplied attributes in this shortcode. Authenticated users with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the affected page, potentially compromising site security. [6]
How can this vulnerability impact me? :
This vulnerability allows authenticated users with contributor-level or higher privileges to inject malicious scripts into pages via the 'events_list_grouped' shortcode. When other users visit these pages, the injected scripts execute in their browsers. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions depending on the injected script's intent. It compromises the integrity and security of the website and its users. [6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Events Manager plugin for WordPress is installed and running a vulnerable version (up to and including 7.2.2.1). Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the 'events_list_grouped' shortcode, detection can include: 1. Checking the plugin version installed on your WordPress site. 2. Searching for usage of the 'events_list_grouped' shortcode in posts or pages. 3. Looking for suspicious or unexpected script injections in pages that use this shortcode, especially from users with contributor-level access or higher. There are no specific network commands provided in the resources, but you can use WordPress CLI commands to check plugin versions and search content. Example commands: - To check the plugin version: `wp plugin get events-manager --field=version` - To search for the shortcode usage in posts: `wp post list --post_type=page,post --format=ids | xargs -I % wp post get % --field=post_content | grep '\[events_list_grouped'` - To scan for suspicious script tags in content: `wp post list --post_type=page,post --format=ids | xargs -I % wp post get % --field=post_content | grep '<script'` These commands help identify if the vulnerable shortcode is used and if there is any injected script content. Manual review of user inputs and event pages is also recommended to detect exploitation. [6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Events Manager plugin to a version later than 7.2.2.1 where the vulnerability is fixed. 2. Restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit. 3. Review and sanitize any existing content using the 'events_list_grouped' shortcode to remove any injected scripts. 4. Disable or limit usage of the 'events_list_grouped' shortcode until the plugin is updated. 5. Follow best practices for input sanitization and output escaping in WordPress, and consider applying additional security plugins or Web Application Firewalls (WAF) to detect and block XSS attempts. The plugin itself attempts to sanitize shortcode parameters using WordPress's wp_kses() function, but the vulnerability arises from insufficient sanitization in some shortcode attributes, so updating the plugin is critical. [6]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with contributor-level access to inject arbitrary scripts via stored Cross-Site Scripting (XSS) in pages using the 'events_list_grouped' shortcode. This could lead to unauthorized access or manipulation of user data when other users view the injected pages. Such unauthorized data exposure or manipulation could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal data against unauthorized access and ensuring data integrity. Therefore, this vulnerability may negatively impact compliance with these standards by exposing personal or sensitive data to attackers through script injection. [6]