{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2799", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-25T19:52:06.849Z", "datePublished": "2025-07-16T05:23:51.188Z", "dateUpdated": "2026-04-08T17:13:20.678Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:20.678Z"}, "affected": [{"vendor": "wpeventmanager", "product": "WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.49", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018tag-name\u2019 parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb5ab0-2110-49be-bc09-6847065a9dd9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309197/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "timeline": [{"time": "2025-06-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-18T14:47:56.439598Z", "id": "CVE-2025-2799", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T14:48:02.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2799", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-18T14:47:56.439598Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T14:47:59.709Z"}}], "cna": {"title": "WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpeventmanager", "product": "WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.49"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-10T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb5ab0-2110-49be-bc09-6847065a9dd9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3309197/"}], "descriptions": [{"lang": "en", "value": "The WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018tag-name\u2019 parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:20.678Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2799", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:20.678Z", "dateReserved": "2025-03-25T19:52:06.849Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-16T05:23:51.188Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wp-eventmanager:wp_event_manager:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "16BC7953-628F-4AC9-83D9-BD1CD41EBF1C", "versionEndExcluding": "3.1.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018tag-name\u2019 parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El complemento WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro 'tag-name' en todas las versiones hasta la 3.1.49 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de administrador, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2025-2799", "lastModified": "2025-07-16T19:57:17.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-16T06:15:23.303", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3309197/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb5ab0-2110-49be-bc09-6847065a9dd9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:16:03.391572+00:00", "value": {"mitigation_remediation": ["Update the WP Event Manager plugin to version 3.1.50 or later on all sites in the multisite network", "Remove or restrict the unfiltered_html capability so that only trusted administrators can use it, eliminating the attack surface employed by this flaw", "Configure the site\u2019s access controls to minimize the number of administrators, ensuring that only vetted accounts have sufficient permissions to modify plugin data"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via the tag\u2011name parameter enabled for administrators with access to a multisite network where unfiltered_html is disabled"}, "threat_synthesis": {"affected_systems": "All installations of WP Event Manager \u2013 Events Calendar, Registrations, Sell Tickets with WooCommerce plugin up to and including version 3.1.49. The issue is confined to multisite configurations where the WordPress capability unfiltered_html has been disabled, and only affects administrators or roles with equivalent privileges.", "description_and_impact": "The WP Event Manager plugin allows administrators to inject arbitrary JavaScript into the tag\u2011name field. Because the input is not properly sanitized or escaped, the injected code is stored and subsequently served to any user who accesses the affected page, leading to an execution environment controlled by the attacker. This stored XSS can be used to deface content, steal session cookies, redirect victims, or serve other malicious payloads.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a low impact when evaluated broadly, but the vulnerability is exploitable only by users who already possess administrator-level credentials and are on a multisite network with the specific unfiltered_html setting. The EPSS score is below 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting a low probability of widespread exploitation. Nevertheless, the presence of an inactive capability and the requirement for admin access mean that organisations with loose role management may still face a risk of script execution on user\u2011facing pages."}}}}, "created": "2026-04-20T22:30:19.865523+00:00", "updated": "2026-04-20T22:30:19.865534+00:00", "vendors": []}