{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5568", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T19:26:13.553Z", "datePublished": "2025-06-07T11:17:50.949Z", "dateUpdated": "2026-04-08T17:12:51.844Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:51.844Z"}, "affected": [{"vendor": "magepeopleteam", "product": "Event Booking Manager for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3659c4d-3a19-4f74-9f6d-26d7b24ebe56?source=cve"}, {"url": "https://wordpress.org/plugins/mage-eventpress/#developers"}, {"url": "https://github.com/magepeopleteam/mage-eventpress/commit/c6f8d3233087881d3eb7ed3ebe9a6ebc7795f144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3307484"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Siavash Vaez Afshar"}], "timeline": [{"time": "2025-06-04T14:37:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-06T21:50:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-09T16:01:47.964518Z", "id": "CVE-2025-5568", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T16:02:02.175Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5568", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-09T16:01:47.964518Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-09T16:01:53.251Z"}}], "cna": {"title": "WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Siavash Vaez Afshar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "magepeopleteam", "product": "Event Booking Manager for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-04T14:37:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-06T21:50:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3659c4d-3a19-4f74-9f6d-26d7b24ebe56?source=cve"}, {"url": "https://wordpress.org/plugins/mage-eventpress/#developers"}, {"url": "https://github.com/magepeopleteam/mage-eventpress/commit/c6f8d3233087881d3eb7ed3ebe9a6ebc7795f144"}, {"url": "https://plugins.trac.wordpress.org/changeset/3307484"}], "descriptions": [{"lang": "en", "value": "The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:51.844Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5568", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:51.844Z", "dateReserved": "2025-06-03T19:26:13.553Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-07T11:17:50.949Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mage-people:event_manager_and_tickets_selling_for_woocommerce:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E61741BA-730E-48DC-B7CB-9452F8344332", "versionEndExcluding": "4.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WpEvently para WordPress es vulnerable a Cross Site Scripting almacenado a trav\u00e9s de m\u00faltiples par\u00e1metros en todas las versiones hasta la 4.4.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5568", "lastModified": "2025-07-15T17:09:32.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-07T12:15:23.370", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://github.com/magepeopleteam/mage-eventpress/commit/c6f8d3233087881d3eb7ed3ebe9a6ebc7795f144"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3307484"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/mage-eventpress/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3659c4d-3a19-4f74-9f6d-26d7b24ebe56?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:34:42.446818+00:00", "value": {"mitigation_remediation": ["Update the Event Booking Manager for WooCommerce plugin to version 4.4.3 or newer where the issue is fixed.", "Limit the Contributor role to trusted users only and review user permissions to prevent unauthorized access.", "Deploy a web application firewall or apply a strict Content Security Policy to block reflected or stored XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting for authenticated contributors and higher"}, "threat_synthesis": {"affected_systems": "The affected product is the Event Booking Manager for WooCommerce plugin from MagePeopleTeam, deployed on WordPress sites. All plugin releases up to version 4.4.2 are impacted; versions 4.4.3 and newer have addressed the issue.", "description_and_impact": "The WpEvently plugin for WordPress is vulnerable to stored cross\u2011site scripting via multiple parameters in all versions up to and including 4.4.2 due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes whenever a user visits an injected page. The flaw falls under CWE\u201179 and carries a CVSS score of 6.4.", "risk_and_exploitability": "The exploitation probability is low with an EPSS score below 1\u202f%. The flaw is not listed in the CISA KEV catalog. Attackers must first be authenticated with at least Contributor role, which is typically granted to users who can create or edit events. Once the vulnerability is leveraged, the injected script runs in the context of the site, potentially allowing session hijacking, defacement, or phishing attacks against all site visitors. Due to the need for valid credentials, the risk is moderate rather than high."}}}}, "created": "2026-04-20T22:45:20.539879+00:00", "updated": "2026-04-20T22:45:20.539890+00:00", "vendors": []}