{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25361", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:45.515Z", "dateUpdated": "2026-04-28T16:14:56.702Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mage-eventpress", "product": "WpEvently", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "5.1.5", "status": "unaffected"}], "lessThanOrEqual": "5.1.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:24.498Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.<p>This issue affects WpEvently: from n/a through <= 5.1.4.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.702Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WpEvently plugin <= 5.1.4 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:11:24.891929Z", "id": "CVE-2026-25361", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:35:46.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25361", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:24.891929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:05:45.960Z"}}], "cna": {"title": "WordPress WpEvently plugin <= 5.1.4 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "magepeopleteam", "product": "WpEvently", "versions": [{"status": "affected", "changes": [{"at": "5.1.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.1.4"}], "packageName": "mage-eventpress", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:24.498Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.<p>This issue affects WpEvently: from n/a through <= 5.1.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.162Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25361", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:35:46.216Z", "dateReserved": "2026-02-02T12:52:48.541Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.515Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en magepeopleteam WpEvently mage-eventpress permite XSS Reflejado. Este problema afecta a WpEvently: desde n/d hasta &lt;= 5.1.4."}], "id": "CVE-2026-25361", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.283", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WpEvently", "source": "cna", "vendor": "magepeopleteam"}, "product": "wpevently", "vendor": "magepeopleteam"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T23:06:10.361084+00:00", "value": {"mitigation_remediation": ["Update the WpEvently plugin to a version newer than 5.1.4 or to the latest release available from Magepeopleteam.", "If an update cannot be applied immediately, disable or remove the plugin from the WordPress installation until a patch is released.", "Verify that any future plugins or custom code added to the site properly encode or sanitize all output to prevent similar cross\u2011site scripting issues."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011site scripting that can execute arbitrary scripts in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "Magepeopleteam\u2019s WpEvently \"mage\u2011eventpress\" WordPress plugin is affected for all releases from the initial version up through 5.1.4. The vulnerability persists in every installed instance that has not been upgraded beyond 5.1.4.", "description_and_impact": "The flaw is an improper neutralization of user input during web page generation, enabling reflected cross\u2011site scripting. An attacker can inject malicious JavaScript that is reflected back to the victim\u2019s browser when a crafted request is executed, allowing the attacker to steal session tokens, deface content, or redirect users to phishing sites.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity level. Although no EPSS score is publicly available and the flaw is not listed in the CISA KEV catalog, the exploitability is straightforward: an attacker can craft a URL or form submission that triggers the reflected script on any user browsing the site. The attack vector is inferred to be through user\u2011controlled input in HTTP queries or form data that is directly echoed in the response."}}}}, "created": "2026-03-25T21:44:52.066663+00:00", "updated": "2026-03-26T12:12:46.353583+00:00", "vendors": ["magepeopleteam", "magepeopleteam$PRODUCT$wpevently", "wordpress", "wordpress$PRODUCT$wordpress"]}