Stored Cross-Site Scripting in WP Event Manager Plugin by WordPress
CVE-2025-2799

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Event Manager – Events Calendar, Registrations, Sell Tickets With WooCommerce
Vendor: CVE Published:; 16 July 2025

What is CVE-2025-2799?

The WP Event Manager plugin for WordPress, specifically versions up to and including 3.1.49, is susceptible to Stored Cross-Site Scripting attacks through the 'tag-name' parameter. This vulnerability arises from inadequate input sanitization and output escaping. Authenticated users with administrator-level access can exploit this vulnerability to inject malicious web scripts into pages, leading to execution when users visit the compromised pages. Notably, this issue affects only multi-site installations or those where unfiltered_html is disabled, heightening the security risks associated with using this plugin.

Affected Version(s)

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce * <= 3.1.49

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3309197/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2025
Vulnerability Reserved
Mar 25, 2025

Credit

Nguyen Ngoc Quang Bach