Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS)
Description
The Event Geek WordPress plugin through 2.5.2 has a stored XSS vulnerability in its 'Use your own theme' setting, allowing admin-level attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Event Geek WordPress plugin through 2.5.2 has a stored XSS vulnerability in its 'Use your own theme' setting, allowing admin-level attackers to inject arbitrary JavaScript.
Vulnerability
The Event Geek WordPress plugin versions up to and including 2.5.2 fail to sanitize or escape the "Use your own theme" setting before outputting it on the page. This allows an authenticated user with administrator privileges to inject arbitrary HTML and JavaScript, leading to a stored Cross-Site Scripting (XSS) vulnerability [1].
Exploitation
An attacker must have administrator-level access to the WordPress site. They can navigate to the plugin settings and insert malicious JavaScript into the "Use your own theme" field. When the setting is rendered on any page, the injected script executes in the context of any user viewing that page [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the browsers of other users, including administrators. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, meaning the payload persists until removed [1].
Mitigation
As of the latest disclosure, no official fix or patched version has been released. The plugin appears to be abandoned or unsupported. Users are advised to remove or disable the Event Geek plugin and consider alternative solutions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Event Geekdescription
- Range: <=2.5.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the "Use your own theme" setting before outputting it in the page."
Attack vector
An attacker with administrator-level privileges can inject arbitrary JavaScript into the "Use your own theme" setting field. Because the plugin fails to sanitize or escape this value before outputting it on the page [ref_id=1], the injected script executes in the browsers of other users who visit the affected page. This is a stored Cross-Site Scripting (XSS) issue [CWE-79] that requires the attacker to already have admin access to the WordPress site.
Affected code
The plugin's "Use your own theme" setting is output directly into the page without sanitization or escaping. The advisory does not specify the exact file or function name, but the vulnerability lies in the code path that retrieves and displays this admin-configurable setting.
What the fix does
No patch or fix has been published for this vulnerability [ref_id=1]. The advisory recommends that the plugin should sanitize and escape the "Use your own theme" setting before outputting it in the page, which would prevent the stored XSS. As of the advisory's last update, no known fix is available.
Preconditions
- authAttacker must have administrator-level privileges on the WordPress site
- configThe Event Geek plugin (version <= 2.5.2) must be installed and active
- inputThe 'Use your own theme' setting must be displayed on a page that other users can access
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/243d417a-6fb9-4e17-9e12-a8c605f9af8amitrex_refsource_MISC
News mentions
0No linked articles in our index yet.