VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-42686

CVE-2026-42686

Description

Cross-site scripting in EventPrime plugin versions ≤4.3.2.1 allows subscriber-level users to inject malicious scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in EventPrime plugin versions ≤4.3.2.1 allows subscriber-level users to inject malicious scripts.

Vulnerability

The EventPrime plugin for WordPress, version 4.3.2.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability affecting subscriber-level users. The vulnerability arises from insufficient input sanitization in the plugin's event calendar management functionality. Attackers can inject arbitrary JavaScript that executes in the context of other users' browsers when they interact with the compromised content. [1]

Exploitation

An attacker with a subscriber account can inject malicious JavaScript payloads through vulnerable input fields in the EventPrime plugin. The injected script is stored and executed when administrators or other users view the affected pages. No additional privileges or user interaction beyond basic subscriber access is required. [1]

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the browsers of other users, including administrators. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

Update the EventPrime plugin to version 4.3.2.2 or later, which resolves the vulnerability. If immediate update is not possible, apply a virtual patch or mitigation rule as provided by Patchstack. [1] No workaround is currently available for unpatched versions.

References
  1. Cross Site Scripting (XSS) in WordPress EventPrime Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.