{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5540", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T15:50:58.944Z", "datePublished": "2025-06-26T02:06:35.891Z", "dateUpdated": "2026-04-08T17:32:16.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:16.547Z"}, "affected": [{"vendor": "emarket-design", "product": "Event RSVP and Simple Event Management Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Event RSVP and Simple Event Management Plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f09ffc02-bfed-4aa3-a3d3-58e188b3e147?source=cve"}, {"url": "https://wordpress.org/plugins/wp-easy-events/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3324339%40wp-easy-events&new=3324339%40wp-easy-events&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-07-30T08:23:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-25T13:46:36.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:26:12.529551Z", "id": "CVE-2025-5540", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:26:22.230Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:26:12.529551Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:26:18.516Z"}}], "cna": {"title": "Event RSVP and Simple Event Management Plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "emarket-design", "product": "Event RSVP and Simple Event Management Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-30T08:23:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-25T13:46:36.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f09ffc02-bfed-4aa3-a3d3-58e188b3e147?source=cve"}, {"url": "https://wordpress.org/plugins/wp-easy-events/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3324339%40wp-easy-events&new=3324339%40wp-easy-events&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:16.547Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5540", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:16.547Z", "dateReserved": "2025-06-03T15:50:58.944Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:06:35.891Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emarketdesign:event_rsvp_and_simple_event_management:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D87AF4CA-3F5F-49CF-B09A-35F7FDE58D3C", "versionEndIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Event RSVP y Simple Event Management para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del shortcode 'emd_mb_meta' en todas las versiones hasta la 4.1.0 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5540", "lastModified": "2026-04-08T19:24:20.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-26T02:15:21.650", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3324339%40wp-easy-events&new=3324339%40wp-easy-events&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/wp-easy-events/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f09ffc02-bfed-4aa3-a3d3-58e188b3e147?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:03:56.483619+00:00", "value": {"mitigation_remediation": ["Update Event RSVP and Simple Event Management Plugin to a version newer than 4.1.0.", "If an immediate update is not possible, deactivate the plugin until the fix is released.", "Limit the number of users with Contributor or higher roles to trusted administrators or remove Contributor privileges from untrusted accounts."], "summary": {"action": "Upgrade", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress plugin Event RSVP and Simple Event Management Plugin from the WordPress repository with version numbers up to and including 4.1.0 are affected. The flaw manifests in every iteration of the plugin released in that range regardless of other installed plugins or themes.", "description_and_impact": "The Event RSVP and Simple Event Management Plugin is vulnerable to stored cross\u2011site scripting in the 'emd_mb_meta' shortcode due to insufficient input sanitization and output escaping of user\u2011supplied attributes. An authenticated user holding contributor or higher privileges can inject arbitrary scripts that execute whenever a site visitor loads a page containing the shortcode, enabling theft of session cookies, defacement, and other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate level of risk. The EPSS score of < 1% means that exploitation is expected to be very low in the wild at present, and the vulnerability is not listed in CISA KEV. However, exploitation only requires an authenticated contributor\u2011level account, which an attacker could obtain through credential compromise or phishing. Once such an account is available, the injected scripts will run in the context of any user viewing the affected page, and while the flaw does not give remote code execution on the server, it poses a significant threat to client\u2011side data and site integrity."}}}}, "created": "2026-04-21T20:15:44.573765+00:00", "updated": "2026-04-21T20:15:44.573776+00:00", "vendors": []}