CVE-2017-18576
No known patch is available for this vulnerability.
The affected plugin has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The abandoned Event Notifier WordPress plugin suffers from a persistent XSS vulnerability via the loading animation attribute, with no fix ever released.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The abandoned Event Notifier WordPress plugin suffers from a persistent XSS vulnerability via the loading animation attribute, with no fix ever released.
Vulnerability
The Event Notifier WordPress plugin (slug: event-notifier) is vulnerable to stored cross-site scripting (XSS) through the loading animation attribute. The vulnerability exists in all versions of the plugin, including the latest available version 1.2.2, as no patch has ever been released. The plugin's last update on WordPress.org was April 23, 2018, which predates the public disclosure of this CVE (August 22, 2019). The project is considered abandoned by its author, David Cramer.
Exploitation
An attacker with the ability to insert or modify the plugin's loading animation parameter can inject arbitrary JavaScript. The attack does not require any special network position or authentication beyond standard WordPress contributor or administrator access, depending on the plugin integration. The injected script executes in the context of the victim's browser when the victim views the plugin's output.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the vulnerable WordPress site. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other client-side attacks. The impact is limited by the browser's same-origin policy and the privileges of the authenticated user viewing the affected page.
Mitigation
No official fix has been released, and the plugin is abandoned. The only definitive mitigation is to uninstall the Event Notifier plugin and replace it with an actively maintained alternative. Web application firewalls (WAF) or custom sanitization rules might provide partial protection, but they are not a complete solution. Users should assume any version of this plugin, including 1.2.2, is vulnerable [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/event-notifierdescription
- Range: <1.2.1
Patches
0event-notifierThis plugin appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wordpress.org/plugins/event-notifier/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.