Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting
Description
The Event List plugin before 0.8.8 allows admin users to perform stored XSS against other admins even when unfiltered_html is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Event List plugin before 0.8.8 allows admin users to perform stored XSS against other admins even when unfiltered_html is disabled.
Vulnerability
The Event List WordPress plugin versions before 0.8.8 fail to sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to inject malicious scripts. The vulnerability is stored XSS, as the injected script is saved in the plugin settings and executed when other admins view the settings page. [1]
Exploitation
An attacker with admin access can modify plugin settings to include malicious JavaScript. When other administrators visit the settings page, the script executes in their browser, even if the unfiltered_html capability is disallowed. [1]
Impact
Successful exploitation leads to stored cross-site scripting, allowing the attacker to perform actions on behalf of other admins, such as creating new admin accounts or modifying site content, within the context of the victim's session.
Mitigation
Update to version 0.8.8 or later, which fixes the sanitization issue. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Event List plugindescription
- Range: <0.8.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/74888a9f-fb75-443d-bb85-0120cbb764a0mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.