Stored Cross-Site Scripting Vulnerability in EventPrime Events Calendar Plugin
CVE-2026-13441
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-13441?
The EventPrime plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter, allowing authenticated attackers with custom-level access or higher to inject malicious scripts. This vulnerability arises from inadequate input sanitization and output escaping, thus posing risks when users access infected pages. Exploitation is contingent upon the Guest Submissions feature being enabled, allowing unauthenticated users to submit event types through the frontend. If this feature is disabled, at least a subscriber-level authenticated account is needed to exploit the vulnerability.
Affected Version(s)
EventPrime β Events Calendar, Bookings and Tickets 0 <= 4.3.4.2