CVE-2026-28037

Vulnerability

Overview

The EventON plugin for WordPress versions through 4.9.12 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This means the plugin fails to sanitize or escape user-supplied data before including it in output, allowing an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

Requirements

Exploitation requires user interaction — a privileged user must perform an action, such as clicking a crafted link or visiting a specially prepared page [1]. The attacker does not need special privileges but relies on tricking an authenticated user (e.g., an administrator or editor) into triggering the malicious payload. The attack can be launched remotely over the network.

Potential

Impact

Successful exploitation allows an attacker to inject malicious scripts that execute in the context of a victim's browser when they visit the affected site [1]. Common payloads include redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies. Because the vulnerability is reflected and requires user interaction, the direct damage is limited to the victim's session, but it could be used in broader campaigns targeting multiple websites simultaneously [1].

Mitigation and

Status

The vulnerability affects EventON versions n/a through 4.9.12. As of the publication date (March 5, 2026), an official patch has not been confirmed, but Patchstack has issued a virtual mitigation rule to block attacks until a permanent fix is available [1]. Immediate action: update the plugin to the latest version if a patch exists, or apply the provided mitigation rule. Users unable to update should consult their hosting provider for assistance [1].