{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1941", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:29:16.789Z", "datePublished": "2026-02-18T08:26:03.081Z", "dateUpdated": "2026-04-08T16:52:25.182Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:25.182Z"}, "affected": [{"vendor": "xylus", "product": "WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50d8f1e0-2022-4fe1-b384-ca762a032d3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L761"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L761"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455440/wp-event-aggregator#file18"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "timeline": [{"time": "2026-02-05T06:47:45.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T20:12:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:24:56.771998Z", "id": "CVE-2026-1941", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:51:49.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1941", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:24:56.771998Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:24:57.790Z"}}], "cna": {"title": "WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xylus", "product": "WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.8.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T06:47:45.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T20:12:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50d8f1e0-2022-4fe1-b384-ca762a032d3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L567"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L761"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L761"}, {"url": "https://plugins.trac.wordpress.org/changeset/3455440/wp-event-aggregator#file18"}], "descriptions": [{"lang": "en", "value": "The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T08:26:03.081Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1941", "state": "PUBLISHED", "dateUpdated": "2026-02-18T12:51:49.408Z", "dateReserved": "2026-02-04T21:29:16.789Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T08:26:03.081Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP Event Aggregator para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'wp_events' del plugin en todas las versiones hasta la 1.8.7, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1941", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T09:15:58.603", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L567"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L761"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L567"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L761"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3455440/wp-event-aggregator#file18"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50d8f1e0-2022-4fe1-b384-ca762a032d3c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar", "source": "cna", "vendor": "xylus"}, "product": "wp_event_aggregator:_import_eventbrite_events,_meetup_events,_social_events_and_any_ical_events_into_event_calendar", "vendor": "xylus"}], "analysis": {"en": {"generated_at": "2026-04-15T20:21:00.516251+00:00", "value": {"mitigation_remediation": ["Deactivate or remove the WP Event Aggregator plugin, or disable the 'wp_events' shortcode until a vendor\u2011supplied fix is released.", "If removal is not immediately feasible, sanitize shortcode attributes by escaping or stripping disallowed input before storing or rendering.", "Configure a strict Content Security Policy to block inline scripts and restrict script sources, reducing the impact of any injected payload."], "summary": {"action": "Mitigate", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP Event Aggregator plugin versions 1.8.7 or earlier, all of which are distributed by Xylus. All users with Contributor\u2011level or higher access can exploit the flaw. The vulnerability exists across all configurations of the shortcode that accept user\u2011supplied attributes.", "description_and_impact": "The WP Event Aggregator plugin for WordPress is vulnerable to stored cross\u2011site scripting due to insufficient sanitization of attributes passed to the 'wp_events' shortcode. An attacker with Contributor or higher privileges can inject arbitrary JavaScript into posts or pages. This script will execute for any visitor to the affected content, compromising confidentiality and potentially allowing further attacks such as cookie theft, session hijacking, or defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. With an EPSS score of less than\u202f1\u202f%, the probability of exploitation is low, and the vulnerability is not catalogued in the CISA KEV list. The likely attack vector is an authenticated Contributor using the 'wp_events' shortcode to store malicious attributes. Because exploitation requires authenticated access with Contributor permission, attackers must first gain or possess legitimate user credentials. The stored nature of the flaw means that once injected, the malicious code will persist in the database and affect all subsequent page loads for all users until the plugin is disabled or the attributes are correctly sanitized. At present, no vendor\u2011supplied update resolves the issue, so administrators must mitigate by disabling the plugin or filtering input. The impact is primarily the execution of arbitrary client\u2011side code, which can lead to phishing, data exfiltration, or further server\u2011side compromise via social engineering."}}}}, "created": "2026-02-19T10:20:34.163337+00:00", "updated": "2026-04-15T20:30:13.773960+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xylus", "xylus$PRODUCT$wp_event_aggregator:_import_eventbrite_events,_meetup_events,_social_events_and_any_ical_events_into_event_calendar"]}