CVE-2025-63064

Vulnerability

Description A Improper Neutralization of Input During Web Page Generation vulnerability in the EventON plugin for WordPress enables Stored Cross-Site Scripting (XSS). This issue affects all versions from n/a through 4.9.12 and stems from insufficient sanitization of user-supplied input that is later rendered in web pages [1].

Exploitation

To exploit this vulnerability, an attacker must have a privileged user role (e.g., contributor or author) to inject malicious script payloads. The stored script then executes automatically when any visitor accesses the compromised page, which may include posts or events managed by the plugin. The CVSS v3 base score is 6.5, reflecting moderate complexity and the requirement for user interaction but no authentication for the victim [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, such as redirects, advertisements, or other malicious payloads. This can lead to defacement, phishing, or further compromise of the site and its users. The vendor advisory notes that such vulnerabilities are actively used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Users are advised to update the EventON plugin to the latest patched version immediately. If updating is not possible, it is recommended to contact a hosting provider or web developer for assistance. No workarounds beyond the official patch are detailed [1].