Stored Cross-Site Scripting Vulnerability in EventPrime Events Calendar Plugin
CVE-2026-13441

7.2HIGH

What is CVE-2026-13441?

The EventPrime plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter, allowing authenticated attackers with custom-level access or higher to inject malicious scripts. This vulnerability arises from inadequate input sanitization and output escaping, thus posing risks when users access infected pages. Exploitation is contingent upon the Guest Submissions feature being enabled, allowing unauthenticated users to submit event types through the frontend. If this feature is disabled, at least a subscriber-level authenticated account is needed to exploit the vulnerability.

Affected Version(s)

EventPrime – Events Calendar, Bookings and Tickets 0 <= 4.3.4.2

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Philipp Doblhofer
.