Product
A critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-13441, exists in all versions up to 4.3.4.2 of the EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress, allowing authenticated attackers with custom-level access (or unauthenticated attackers if 'Guest Submissions' is enabled) to inject malicious web scripts via the new_event_type_background_color parameter that execute whenever a user accesses an affected page, potentially leading to session hijacking, defacement, or further compromise.