What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elbisnero WordPress Events Calendar Registration & Tickets wpeventplus allows Reflected XSS.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through <= 2.6.0.
Explanation of Vulnerability in Simple Terms
02Summary
The WordPress Events Calendar Registration & Tickets plugin through version 2.6.0 contains a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in visitors' browsers when they view affected pages. The vulnerability requires user interaction—typically clicking a crafted link—and can affect other users on the site. Update the plugin immediately to a version newer than 2.6.0.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers and steal session cookies or perform actions on their behalf.
Potential impact on your site
04Site Impact
Visitors' accounts and data at risk; site reputation damaged if used to redirect users or steal credentials.
Conditions required to exploit
05Prerequisites
Visitor must click a malicious link or visit a page containing the attacker's payload; no authentication required.
Key dates
06Disclosure timeline
May 19, 2025
CVE published
April 28, 2026
Record updated