CVE-2026-25465
Stored XSS in CP Multi View Event Calendar
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codepeople | cp_multi_view_event_calendar | to 1.4.35 (inc) |
| codepeople | cp_multi_view_calendar | From 1.0.0 (inc) to 1.4.35 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25465 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress CP Multi View Event Calendar Plugin versions up to and including 1.4.35.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when site visitors access the affected website.
Exploitation requires a privileged user (at least a subscriber role) to interact with a crafted link, page, or form, making user interaction necessary for the attack to succeed.
The vulnerability falls under the OWASP Top 10 category A3: Injection and is considered moderately dangerous, with potential for mass exploitation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such attacks can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your site's reputation.
Because exploitation requires user interaction, attackers may trick users into clicking malicious links or submitting crafted forms, leading to a successful attack.
The vulnerability is expected to be targeted in mass-exploit campaigns, affecting many websites regardless of their traffic or popularity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the CP Multi View Event Calendar WordPress plugin versions up to 1.4.35. Detection typically involves identifying malicious script injections in the web pages generated by the plugin.
Since exploitation requires user interaction such as submitting a form or visiting a crafted page, monitoring HTTP requests and responses for suspicious script payloads related to the plugin's calendar functionality can help detect attempts.
Specific commands are not provided in the available resources, but general approaches include:
- Using web vulnerability scanners that detect XSS vulnerabilities on the affected plugin pages.
- Inspecting HTTP traffic with tools like Burp Suite or OWASP ZAP to identify injected scripts in responses.
- Searching the website source code or database entries for suspicious script tags or payloads related to the calendar plugin.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the CP Multi View Event Calendar plugin to a patched version once it becomes available.
- Until an official patch is released, apply the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.
- Limit user privileges to reduce the risk of exploitation, as the attack requires at least subscriber-level access.
- Consult with your hosting provider or web developer for additional protective measures.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-25465 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.