CVE-2025-39372

The WordPress Events Calendar Registration & Tickets plugin (wpeventplus) versions up to and including 2.6.0 contain a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw occurs when the plugin fails to sanitize or escape input before reflecting it in the response, allowing an attacker to embed arbitrary scripts in a crafted link.

Exploitation requires user interaction — a victim must click a specially crafted link or visit a maliciously prepared page [1]. While the vulnerability can be initiated by low-privileged roles, successful execution depends on a privileged user performing an action, such as clicking the link or submitting a form [1]. No authentication is needed from the attacker to generate the malicious payload.

If exploited, an attacker can inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) into the affected website. These scripts execute in the context of the victim's browser, potentially leading to data theft, session hijacking, or defacement [1]. The CVSS v3 base score is 7.1, reflecting moderate danger and a risk of mass exploitation [1].

As of publication, the vendor has not released an official patch, but Patchstack has issued a mitigation rule to block attacks [1]. Users are strongly advised to update the plugin as soon as a fixed version becomes available. If updating is not possible, consider contacting the hosting provider or web developer for assistance [1].