HIGHCVE-2026-25361CVSS 7.1

WordPress WpEvently plugin <= 5.1.4 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-25361 — Reflected XSS in WpEvently?

CVE-2026-25361 is a Reflected XSS vulnerability in the WpEvently WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.

Q: Am I affected by CVE-2026-25361 in WpEvently?

You are affected if you are using WpEvently versions 0.0.0 through 5.1.4. Upgrade to 5.1.5 or later to resolve the vulnerability.

Q: How do I fix CVE-2026-25361 in WpEvently?

Upgrade the WpEvently plugin to version 5.1.5 or later. Consider input validation and output encoding as a temporary workaround.

Q: Is CVE-2026-25361 being actively exploited?

No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation suggests it may be targeted.

Q: Where can I find the official WpEvently advisory for CVE-2026-25361?

Refer to the magepeopleteam website or the WordPress plugin repository for the official advisory and update information.

翻訳中…

プラットフォーム

wordpress

コンポーネント

mage-eventpress

修正版

5.1.5

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月

NVDで見る

保存

あなたの言語に翻訳中…

CVE-2026-25361 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the WpEvently WordPress plugin developed by magepeopleteam. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions of WpEvently from 0.0.0 through 5.1.4, and a patch is available in version 5.1.5.

WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン

影響と攻撃シナリオ翻訳中…

The primary impact of this XSS vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be achieved by crafting a malicious URL containing the injected script and tricking a user into clicking it. Successful exploitation could allow an attacker to steal session cookies, redirect users to phishing sites, deface the website, or even gain control of the user's WordPress account. The blast radius extends to all users who visit the affected pages and interact with the plugin, particularly those who are logged in.

悪用の状況翻訳中…

CVE-2026-25361 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation associated with reflected XSS vulnerabilities means it is likely to be targeted. The CVSS score of 7.1 (HIGH) indicates a significant risk. There are currently no KEV listings for this CVE.

リスク対象者翻訳中…

Websites using the WpEvently plugin, particularly those with user registration or comment functionality, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.

検出手順翻訳中…

• wordpress / composer / npm:

grep -r "mage-eventpress" /var/www/html/wp-content/plugins/
wp plugin list | grep mage-eventpress

• generic web:

curl -I https://example.com/?param=<script>alert(1)</script>

攻撃タイムライン

2026-03-25Disclosure
disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明

CISA KEVNO

インターネット露出高

EPSS

0.04% (11% パーセンタイル)

CISA SSVC

悪用状況none

自動化可能no

技術的影響partial

CVSS ベクトル

これらのメトリクスの意味は？

Attack Vector: ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity: 低 — 特別な条件不要。安定して悪用可能。
Privileges Required: なし — 認証不要。資格情報なしで悪用可能。
User Interaction: 必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope: 変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality: 低 — 一部データへの部分的アクセス。
Integrity: 低 — 限定的な範囲でデータ変更可能。
Availability: 低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントmage-eventpress

ベンダーwordfence

影響範囲修正版

0.0.0 – 5.1.45.1.5

パッケージ情報

アクティブインストール数: 7Kニッチ
プラグイン評価: 4.5
WordPressが必要: 5.3+
動作確認済みバージョン: 7.0
PHPが必要: 7.4+

ホームページ

弱点分類 (CWE)

CWE-79

タイムライン

予約済み2026-02-02
公開日2026-03-25
更新日2026-04-28
EPSS 更新日2026-04-02

緩和策と回避策翻訳中…

The most effective mitigation is to immediately upgrade the WpEvently plugin to version 5.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing input validation and output encoding on user-supplied data within the plugin. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.

修正方法翻訳中…

Update to version 5.1.5, or a newer patched version

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2026-25361 — Reflected XSS in WpEvently?

CVE-2026-25361 is a Reflected XSS vulnerability in the WpEvently WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-25361 in WpEvently?

You are affected if you are using WpEvently versions 0.0.0 through 5.1.4. Upgrade to 5.1.5 or later to resolve the vulnerability.

How do I fix CVE-2026-25361 in WpEvently?

Upgrade the WpEvently plugin to version 5.1.5 or later. Consider input validation and output encoding as a temporary workaround.

Is CVE-2026-25361 being actively exploited?

No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation suggests it may be targeted.

Where can I find the official WpEvently advisory for CVE-2026-25361?

Refer to the magepeopleteam website or the WordPress plugin repository for the official advisory and update information.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン CVEを検索