{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24988", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.017Z", "datePublished": "2026-02-03T14:08:36.560Z", "dateUpdated": "2026-04-28T16:14:52.531Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-events-calendar-shortcode", "product": "The Events Calendar Shortcode & Block", "vendor": "Brian Hogg", "versions": [{"changes": [{"at": "3.1.2", "status": "unaffected"}], "lessThanOrEqual": "3.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:01.450Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS.<p>This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS.This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.531Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress The Events Calendar Shortcode & Block plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T14:35:32.572233Z", "id": "CVE-2026-24988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:38:59.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T14:35:32.572233Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T14:34:26.293Z"}}], "cna": {"title": "WordPress The Events Calendar Shortcode & Block plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Brian Hogg", "product": "The Events Calendar Shortcode &amp; Block", "versions": [{"status": "affected", "changes": [{"at": "3.1.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.1"}], "packageName": "the-events-calendar-shortcode", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:32.767Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode &amp; Block the-events-calendar-shortcode allows Stored XSS.This issue affects The Events Calendar Shortcode &amp; Block: from n/a through <= 3.1.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode &amp; Block the-events-calendar-shortcode allows Stored XSS.<p>This issue affects The Events Calendar Shortcode &amp; Block: from n/a through <= 3.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:47.869Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24988", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:38:59.611Z", "dateReserved": "2026-01-28T09:50:51.017Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:36.560Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS.This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Brian Hogg The Events Calendar Shortcode &amp; Block the-events-calendar-shortcode permite XSS Almacenado. Este problema afecta a The Events Calendar Shortcode &amp; Block: desde n/a hasta &lt;= 3.1.1."}], "id": "CVE-2026-24988", "lastModified": "2026-04-28T19:36:56.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-03T15:16:17.957", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T00:54:35.319376+00:00", "value": {"mitigation_remediation": ["Upgrade the \"The Events Calendar Shortcode & Block\" plugin to the latest available version that contains the fix.", "If an updated version is not yet released, temporarily disable or remove the plugin to eliminate the attack surface.", "Implement a browser\u2011side content\u2011security policy that restricts inline script execution until the plugin is patched."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site XSS (Stored XSS)"}, "threat_synthesis": {"affected_systems": "The WordPress plugin \"The Events Calendar Shortcode & Block\" developed by Brian Hogg, all releases up to and including version 3.1.1, is affected.", "description_and_impact": "The vulnerability arises from improper neutralization of input during web page generation, allowing a stored cross\u2011site scripting attack. The plugin saves user content without sanitization, enabling attackers to embed malicious scripts that will execute in visitors' browsers when the content is displayed.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate to high severity, while the EPSS probability of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The CVE description does not detail a specific attack path; however, stored XSS flaws typically require the attacker to supply input through a content\u2011editing interface, after which the malicious code is displayed to site visitors. The impact is confined to browsers that render the compromised content and can be mitigated by updating or disabling the plugin, or by applying suitable controls such as a content\u2011security policy."}}}}, "created": "2026-02-04T12:09:47.451233+00:00", "updated": "2026-04-29T01:00:11.402835+00:00", "vendors": ["brian_hogg", "brian_hogg$PRODUCT$the_events_calendar_shortcode_&_block", "wordpress", "wordpress$PRODUCT$wordpress"]}