CVE-2026-1649
Stored XSS in WordPress Community Events Plugin Allows Admin Script Injection
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | community_events | to 1.5.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Community Events WordPress plugin (up to version 1.5.7) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape input provided via the 'ce_venue_name' parameter. This allows authenticated users with administrator-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject arbitrary web scripts into the website. When other users visit the injected pages, these scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user. Although the attacker must already have high-level access, the impact includes potential compromise of user accounts and site security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability involves Stored Cross-Site Scripting (XSS) via the 'ce_venue_name' parameter in the Community Events WordPress plugin up to version 1.5.7. Detection involves checking for malicious script injections in the venue name fields stored in the plugin's database tables."}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can inspect the database entries in the `ce_venues` table for suspicious or unexpected script tags or JavaScript code in the `ce_venue_name` field.'}, {'type': 'list_item', 'content': 'Use a SQL query to search for script tags or suspicious content in the venue name field, for example:'}, {'type': 'list_item', 'content': "SELECT * FROM ce_venues WHERE ce_venue_name LIKE '%<script>%' OR ce_venue_name LIKE '%javascript:%';"}, {'type': 'list_item', 'content': 'Check the plugin version installed on your WordPress site to see if it is version 1.5.7 or earlier, which is vulnerable.'}, {'type': 'list_item', 'content': "Review HTTP requests or logs for POST or GET requests that include the 'ce_venue_name' parameter with suspicious payloads."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to update the Community Events WordPress plugin to version 1.5.8 or later, where proper input sanitization and output escaping have been implemented to prevent this Stored Cross-Site Scripting vulnerability.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, restrict administrator-level access to trusted users only, since exploitation requires authenticated users with high privileges.'}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize any existing venue names in the database to remove malicious scripts.'}, {'type': 'paragraph', 'content': "Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'ce_venue_name' parameter."}] [3]