Description
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Product(s):
- WP-EventManager WP Event Manager for WordPress
- WP Event Manager for WordPress
- WP Event Manager 1.0 for WordPress
- WP Event Manager 1.1 for WordPress
- WP Event Manager 1.2 for WordPress
- WP Event Manager 1.3 for WordPress
- WP Event Manager 1.4 for WordPress
- WP Event Manager 1.5 for WordPress
- WP Event Manager 1.6 for WordPress
- WP Event Manager 1.7 for WordPress
- WP Event Manager 1.8 for WordPress
- WP Event Manager 1.9 for WordPress
- WP Event Manager 2.0 for WordPress
- WP Event Manager 2.1 for WordPress
- WP Event Manager 2.2 for WordPress
- WP Event Manager 2.3 for WordPress
- WP Event Manager 2.4 for WordPress
- WP Event Manager 2.5 for WordPress
- WP Event Manager 2.6 for WordPress
- WP Event Manager 2.7 for WordPress
- WP Event Manager 2.8 for WordPress
- WP Event Manager 2.9 for WordPress
- WP Event Manager 3.0 for WordPress
- WP Event Manager 3.1.10 for WordPress
- WP Event Manager 3.1.11 for WordPress
- WP Event Manager 3.1.12 for WordPress
- WP Event Manager 3.1.13 for WordPress
- WP Event Manager 3.1.14 for WordPress
- WP Event Manager 3.1.15 for WordPress
- WP Event Manager 3.1.16 for WordPress
- WP Event Manager 3.1.17 for WordPress
- WP Event Manager 3.1.18 for WordPress
- WP Event Manager 3.1.19 for WordPress
- WP Event Manager 3.1.1 for WordPress
- WP Event Manager 3.1.20 for WordPress
- WP Event Manager 3.1.21 for WordPress
- WP Event Manager 3.1.22 for WordPress
- WP Event Manager 3.1.23 for WordPress
- WP Event Manager 3.1.24 for WordPress
- WP Event Manager 3.1.25 for WordPress
- WP Event Manager 3.1.26 for WordPress
- WP Event Manager 3.1.27 for WordPress
- WP Event Manager 3.1.28 for WordPress
- WP Event Manager 3.1.29 for WordPress
- WP Event Manager 3.1.2 for WordPress
- WP Event Manager 3.1.30 for WordPress
- WP Event Manager 3.1.38 for WordPress
- WP Event Manager 3.1.39 for WordPress
- WP Event Manager 3.1.3 for WordPress
- WP Event Manager 3.1.40 for WordPress
- WP Event Manager 3.1.41 for WordPress
- WP Event Manager 3.1.42 for WordPress
- WP Event Manager 3.1.43 for WordPress
- WP Event Manager 3.1.44 for WordPress
- WP Event Manager 3.1.45 for WordPress
- WP Event Manager 3.1.46 for WordPress
- WP Event Manager 3.1.47 for WordPress
- WP Event Manager 3.1.4 for WordPress
- WP Event Manager 3.1.5 for WordPress
- WP Event Manager 3.1.6 for WordPress
- WP Event Manager 3.1.7 for WordPress
- WP Event Manager 3.1.8 for WordPress
- WP Event Manager 3.1.9 for WordPress
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2025-2799, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2025-2799 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.
References:
- http://webappsec.pbworks.com/Cross-Site+Scripting
- https://capec.mitre.org/data/definitions/209.html
- https://capec.mitre.org/data/definitions/588.html
- https://capec.mitre.org/data/definitions/591.html
- https://capec.mitre.org/data/definitions/592.html
- https://capec.mitre.org/data/definitions/63.html
- https://capec.mitre.org/data/definitions/85.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-2799