{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12976", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T18:53:47.200Z", "datePublished": "2025-12-18T07:20:45.856Z", "dateUpdated": "2026-04-08T16:37:31.229Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:31.229Z"}, "affected": [{"vendor": "netweblogic", "product": "Events Manager \u2013 Calendar, Bookings, Tickets, and more!", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.2.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e853b2-c7ab-478c-9c89-d8e3a42d1a42?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-functions.php#L933"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/templates/templates/events-list-grouped.php"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/classes/em-events.php#L423"}, {"url": "https://plugins.trac.wordpress.org/changeset/3413776/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-10T19:09:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T15:26:50.219845Z", "id": "CVE-2025-12976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T15:33:38.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T15:26:50.219845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T15:26:52.048Z"}}], "cna": {"title": "Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "netweblogic", "product": "Events Manager \u2013 Calendar, Bookings, Tickets, and more!", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.2.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T19:09:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e853b2-c7ab-478c-9c89-d8e3a42d1a42?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-functions.php#L933"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/templates/templates/events-list-grouped.php"}, {"url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/classes/em-events.php#L423"}, {"url": "https://plugins.trac.wordpress.org/changeset/3413776/"}], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:31.229Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12976", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:31.229Z", "dateReserved": "2025-11-10T18:53:47.200Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-18T07:20:45.856Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12976", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-18T08:15:49.127", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/classes/em-events.php#L423"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-functions.php#L933"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-shortcode.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/templates/templates/events-list-grouped.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3413776/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e853b2-c7ab-478c-9c89-d8e3a42d1a42?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:05:42.768534+00:00", "value": {"mitigation_remediation": ["Upgrade the Events Manager plugin to the latest release that fixes the XSS flaw (any version above\u202f7.2.2.1).", "If an immediate update is not possible, restrict contributor\u2011level or higher permissions from adding or editing events that can use the \u2018events_list_grouped\u2019 shortcode, effectively removing the ability to inject scripts.", "Deploy a web\u2011application firewall or implement a content\u2011security\u2011policy rule that blocks unexpected script content in shortcode attributes to prevent script injection."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin installed from its earliest releases up to and including version\u202f7.2.2.1 are affected. The flaw resides in the plugin\u2019s shortcode and any site that uses it is at risk. The product is provided by Netweblogic.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the Events Manager WordPress plugin. The flaw exists in the \u2018events_list_grouped\u2019 shortcode, which accepts user\u2011supplied attributes without proper sanitization or escaping. An authenticated attacker who has contributor level or higher can embed malicious scripts in these attributes, resulting in arbitrary JavaScript that runs in the browsers of any user who views a page containing the injected shortcode. This is a CWE\u201179 input validation weakness that can lead to session hijacking, credential theft, or defacement.", "risk_and_exploitability": "The CVSS score of\u202f6.4 indicates a medium severity. The EPSS score of less than\u202f1% suggests a very low current exploitation probability, and the vulnerability is not yet listed in the CISA KEV catalog. However, the flaw requires legitimate contributor\u2011level credentials, so it is limited to sites with users having that level of access. Once an attacker injects the payload, every other site visitor will execute the malicious script, providing a consistent and persistent XSS risk."}}}}, "created": "2025-12-19T09:18:52.797042+00:00", "updated": "2026-04-22T16:15:21.788830+00:00", "vendors": ["netweblogic", "netweblogic$PRODUCT$events_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}