{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1649", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T19:05:46.724Z", "datePublished": "2026-02-18T08:26:04.945Z", "dateUpdated": "2026-04-08T17:20:35.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:35.144Z"}, "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ce_venue_name' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Community Events <= 1.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ce_venue_name' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c44232a9-7b97-449c-b584-ca3c26d63581?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L779"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3456114%40community-events&new=3456114%40community-events&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "huy tran"}], "timeline": [{"time": "2026-01-29T19:20:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T20:16:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:24:53.383133Z", "id": "CVE-2026-1649", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:51:26.267Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1649", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:24:53.383133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:24:54.172Z"}}], "cna": {"title": "Community Events <= 1.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ce_venue_name' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "huy tran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-29T19:20:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T20:16:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c44232a9-7b97-449c-b584-ca3c26d63581?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L779"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3456114%40community-events&new=3456114%40community-events&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ce_venue_name' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T08:26:04.945Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1649", "state": "PUBLISHED", "dateUpdated": "2026-02-18T12:51:26.267Z", "dateReserved": "2026-01-29T19:05:46.724Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T08:26:04.945Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ce_venue_name' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Community Events para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'ce_venue_name' en todas las versiones hasta la 1.5.7, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de administrador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1649", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T09:15:58.173", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L1403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L779"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L1403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3456114%40community-events&new=3456114%40community-events&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c44232a9-7b97-449c-b584-ca3c26d63581?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Community Events", "source": "cna", "vendor": "jackdewey"}, "product": "community_events", "vendor": "jackdewey"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:05:32.032699+00:00", "value": {"mitigation_remediation": ["Upgrade the Community Events plugin to the latest released version that contains the vulnerability fix.", "If an upgrade cannot be performed immediately, delete or sanitize any existing venue names that contain suspicious or unsanitized content and limit the creation rights to trusted administrators.", "Implement input validation and output escaping for the ce_venue_name field, such as using WordPress functions esc_html() or wp_strip_all_tags() before storing or rendering the value."], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting via the ce_venue_name parameter allowing administrator-level users to inject arbitrary JavaScript into stored venue data"}, "threat_synthesis": {"affected_systems": "All installations of the Community Events WordPress plugin from jackdewey that run version 1.5.7 or earlier are affected. The vulnerability is present in the plugin\u2019s core code that processes the ce_venue_name field, and there is no known fix in versions up to and including 1.5.7.", "description_and_impact": "The Community Events plugin for WordPress is vulnerable to stored cross\u2011site scripting via the ce_venue_name parameter. This flaw arises from insufficient input sanitization and output escaping and allows an attacker who can authenticate with administrator\u2011level or higher privileges to inject arbitrary JavaScript or other web scripts into the plugin\u2019s stored venue information. Once injected, the scripts execute whenever any user loads the affected page, thereby compromising the confidentiality, integrity, and potentially availability of the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. However, the vulnerability requires authenticated administrators, making it an internal risk if privileged accounts are compromised or if an insider misuses the capability. Because it is not listed in the CISA KEV catalog, there is currently no known active exploitation. Attackers would exploit the flaw by submitting a malicious venue name through the event creation interface, after which the malicious payload is stored and rendered without proper escaping."}}}}, "created": "2026-02-18T10:32:24.897764+00:00", "updated": "2026-04-15T17:30:10.434029+00:00", "vendors": ["jackdewey", "jackdewey$PRODUCT$community_events", "wordpress", "wordpress$PRODUCT$wordpress"]}