{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5144", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-24T00:29:15.822Z", "datePublished": "2025-06-11T12:22:52.030Z", "dateUpdated": "2026-04-08T16:53:41.442Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:41.442Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.13.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-date-*\u2019 parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56822fe5-352c-4269-9fab-d8c796362b74?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.12.0.1/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"url": "https://github.com/uxsolutions/bootstrap-datepicker/blob/master/js/bootstrap-datepicker.js#L131"}, {"url": "https://bootstrap-datepicker.readthedocs.io/en/latest/index.html#data-api"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.13.0/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3307301/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-06-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-11T13:04:15.331985Z", "id": "CVE-2025-5144", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T13:04:30.359Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5144", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-11T13:04:15.331985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T13:04:19.413Z"}}], "cna": {"title": "The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.13.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-10T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56822fe5-352c-4269-9fab-d8c796362b74?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.12.0.1/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"url": "https://github.com/uxsolutions/bootstrap-datepicker/blob/master/js/bootstrap-datepicker.js#L131"}, {"url": "https://bootstrap-datepicker.readthedocs.io/en/latest/index.html#data-api"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.13.0/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3307301/"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-date-*\u2019 parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:41.442Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5144", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:41.442Z", "dateReserved": "2025-05-24T00:29:15.822Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-11T12:22:52.030Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stellarwp:the_events_calendar:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F21ED626-5236-4F9F-9E1B-C72E49EDF3AC", "versionEndExcluding": "6.13.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018data-date-*\u2019 parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Calendario de Eventos para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los par\u00e1metros 'data-date-*' en todas las versiones hasta la 6.13.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5144", "lastModified": "2025-07-10T00:25:36.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-11T13:15:24.823", "references": [{"source": "security@wordfence.com", "tags": ["Not Applicable"], "url": "https://bootstrap-datepicker.readthedocs.io/en/latest/index.html#data-api"}, {"source": "security@wordfence.com", "tags": ["Not Applicable"], "url": "https://github.com/uxsolutions/bootstrap-datepicker/blob/master/js/bootstrap-datepicker.js#L131"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.12.0.1/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.13.0/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3307301/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56822fe5-352c-4269-9fab-d8c796362b74?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:19:56.141946+00:00", "value": {"mitigation_remediation": ["Upgrade The Events Calendar plugin to a version newer than 6.13.2.", "Restrict Contributor\u2011level access to trusted users or remove it if unnecessary.", "Implement additional input validation or sanitization for the \u2018data\u2011date\u2011*\u2019 parameters, or disable their usage until the fix is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting with Contributor\u2011level access"}, "threat_synthesis": {"affected_systems": "The affected product is the Events Calendar plugin for WordPress, developed by StellarWP. All versions up to and including 6.13.2 are vulnerable; therefore any WordPress installation running these or earlier releases of the plugin is at risk.", "description_and_impact": "The vulnerability allows authenticated users who possess Contributor or higher privileges to inject arbitrary JavaScript into pages through the \u2018data\u2011date\u2011*\u2019 parameters. The injected code is stored by the plugin and executes whenever another user views the affected page, enabling persistent script execution and manipulation of content visible to all site visitors.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity vulnerability. The EPSS score of <1% points to a low probability of exploitation in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. Attackers require authenticated access with at least Contributor level and would exploit the flaw by submitting malicious input via the plugin\u2019s administrative interface, leading to persistent script execution in the context of other site users."}}}}, "created": "2025-06-24T09:51:40.323922+00:00", "updated": "2026-04-21T20:30:27.396222+00:00", "vendors": ["theeventscalendar", "theeventscalendar$PRODUCT$the_events_calendar"]}