平台
wordpress
组件
mage-eventpress
修复版本
5.1.5
CVE-2026-25361 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the WpEvently WordPress plugin developed by magepeopleteam. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions of WpEvently from 0.0.0 through 5.1.4, and a patch is available in version 5.1.5.
The primary impact of this XSS vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be achieved by crafting a malicious URL containing the injected script and tricking a user into clicking it. Successful exploitation could allow an attacker to steal session cookies, redirect users to phishing sites, deface the website, or even gain control of the user's WordPress account. The blast radius extends to all users who visit the affected pages and interact with the plugin, particularly those who are logged in.
CVE-2026-25361 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation associated with reflected XSS vulnerabilities means it is likely to be targeted. The CVSS score of 7.1 (HIGH) indicates a significant risk. There are currently no KEV listings for this CVE.
Websites using the WpEvently plugin, particularly those with user registration or comment functionality, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "mage-eventpress" /var/www/html/wp-content/plugins/
wp plugin list | grep mage-eventpress• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The most effective mitigation is to immediately upgrade the WpEvently plugin to version 5.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing input validation and output encoding on user-supplied data within the plugin. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Update to version 5.1.5, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25361 is a Reflected XSS vulnerability in the WpEvently WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WpEvently versions 0.0.0 through 5.1.4. Upgrade to 5.1.5 or later to resolve the vulnerability.
Upgrade the WpEvently plugin to version 5.1.5 or later. Consider input validation and output encoding as a temporary workaround.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation suggests it may be targeted.
Refer to the magepeopleteam website or the WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。