{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9875", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T21:18:52.488Z", "datePublished": "2025-10-03T11:17:10.831Z", "dateUpdated": "2026-04-08T16:48:10.012Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:10.012Z"}, "affected": [{"vendor": "ticketspot", "product": "Event Tickets, RSVPs, Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Event Tickets, RSVPs, Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f507853-8c9f-4308-ad6e-5fbb610158f5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ticket-spot/trunk/ticket-spot.php#L104"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371344/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-10-02T22:11:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:04:56.896144Z", "id": "CVE-2025-9875", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:05:08.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9875", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:04:56.896144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:05:03.359Z"}}], "cna": {"title": "Event Tickets, RSVPs, Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ticketspot", "product": "Event Tickets, RSVPs, Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:11:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f507853-8c9f-4308-ad6e-5fbb610158f5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ticket-spot/trunk/ticket-spot.php#L104"}, {"url": "https://plugins.trac.wordpress.org/changeset/3371344/"}], "descriptions": [{"lang": "en", "value": "The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:10.012Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9875", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:10.012Z", "dateReserved": "2025-09-02T21:18:52.488Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:10.831Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9875", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:49.453", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ticket-spot/trunk/ticket-spot.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3371344/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f507853-8c9f-4308-ad6e-5fbb610158f5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:57:01.906226+00:00", "value": {"mitigation_remediation": ["Update the TicketSpot Event Tickets, RSVPs, Calendar plugin to the latest version (\u2265\u202f1.0.3) where input sanitization is fixed.", "If an update is unavailable, disable the \u2018ticket_spot\u2019 shortcode on all posts and pages or remove it entirely from the site.", "Apply a content filter that escapes all output of the plugin\u2019s attributes to prevent execution of injected scripts."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting accessible to authenticated contributors and above"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the TicketSpot Event Tickets, RSVPs, Calendar plugin for WordPress in all versions up to and including 1.0.2. Sites running any of those releases are impacted, regardless of the number of websites or WordPress installations they host.", "description_and_impact": "The Event Tickets, RSVPs, Calendar plugin for WordPress contains an input validation flaw that allows an authenticated user with contributor privileges or higher to inject arbitrary JavaScript into pages using the plugin\u2019s \u2018ticket_spot\u2019 shortcode. The injected script is stored within the post or page content and will execute automatically whenever any user visits the impacted page, potentially enabling credential theft, session hijacking, defacement, or data exfiltration. The weakness is a classic stored cross\u2011site scripting flaw, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, but the EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low but non\u2011zero probability of exploitation. Because the attack requires authenticated contributor access, it is a local privilege escalating risk rather than a remote exploit. If an attacker gains a contributor account, they can inject scripts that will affect every subsequent visitor of the affected page, thereby creating a widespread impact within the site\u2019s user base."}}}}, "created": "2025-10-06T14:43:02.924928+00:00", "updated": "2026-04-21T19:00:36.141926+00:00", "vendors": ["ticketspot", "ticketspot$PRODUCT$event_tickets", "wordpress", "wordpress$PRODUCT$wordpress"]}