<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>EventPrime – Events Calendar, Bookings and Tickets Plugin (&lt;= 4.3.4.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/eventprime--events-calendar-bookings-and-tickets-plugin--4.3.4.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 11:18:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/eventprime--events-calendar-bookings-and-tickets-plugin--4.3.4.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>EventPrime WordPress Plugin Stored XSS (CVE-2026-13441)</title><link>https://feed.craftedsignal.io/briefs/2026-07-eventprime-xss/</link><pubDate>Thu, 09 Jul 2026 11:18:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-eventprime-xss/</guid><description>A critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-13441, exists in all versions up to 4.3.4.2 of the EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress, allowing authenticated attackers with custom-level access (or unauthenticated attackers if 'Guest Submissions' is enabled) to inject malicious web scripts via the new_event_type_background_color parameter that execute whenever a user accesses an affected page, potentially leading to session hijacking, defacement, or further compromise.</description><content:encoded><![CDATA[<p>A significant stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-13441, has been identified in the EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress. This flaw impacts all versions up to and including 4.3.4.2. The vulnerability stems from insufficient input sanitization and output escaping when handling the <code>new_event_type_background_color</code> parameter. Attackers can exploit this by injecting arbitrary web scripts into pages that subsequently execute when viewed by other users. Exploitation typically requires an authenticated user with custom-level access or higher. However, if the plugin's <code>Guest Submissions</code> setting (<code>allow_submission_by_anonymous_user</code>) is enabled, even unauthenticated individuals can leverage frontend forms to inject malicious scripts. Successful exploitation can lead to session hijacking, data theft, website defacement, or redirection to malicious sites, posing a direct threat to the integrity and security of affected WordPress installations and their users. Defenders should prioritize patching and monitoring for suspicious web requests targeting this plugin.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Vulnerability Identification</strong>: An attacker identifies a WordPress website running the EventPrime plugin (versions &lt;= 4.3.4.2) and confirms the presence of the vulnerability, potentially by checking plugin version numbers.</li>
<li><strong>Initial Access / Authentication</strong>: The attacker either obtains credentials for a custom-level (or higher) WordPress user account or identifies that the EventPrime plugin's &quot;Guest Submissions&quot; setting is enabled, allowing unauthenticated submissions.</li>
<li><strong>Malicious Payload Crafting</strong>: The attacker develops a Stored XSS payload (e.g., <code>&lt;script&gt;alert(document.domain);&lt;/script&gt;</code>, <code>&lt;img src=x onerror=alert(1)&gt;</code>) specifically designed to execute in a victim's browser context.</li>
<li><strong>Injection via Parameter</strong>: The attacker sends an HTTP POST request to the EventPrime plugin's event creation or submission endpoint, embedding the malicious XSS payload within the <code>new_event_type_background_color</code> parameter.</li>
<li><strong>Payload Persistence</strong>: Due to the plugin's insufficient input sanitization, the WordPress backend stores the malicious <code>new_event_type_background_color</code> value, including the XSS payload, in its database.</li>
<li><strong>Victim Interaction &amp; Trigger</strong>: A legitimate user, such as a site administrator or another visitor, navigates to a WordPress page where the crafted event type (containing the vulnerable parameter) is displayed.</li>
<li><strong>Client-Side Execution</strong>: The victim's web browser renders the page, retrieves the stored malicious <code>new_event_type_background_color</code> value, and executes the injected JavaScript code in the context of the victim's session.</li>
<li><strong>Impact &amp; Objective</strong>: The executed script performs its intended action, such as stealing the victim's session cookies (leading to session hijacking), defacing the web page, redirecting the user to a phishing site, or initiating further client-side attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13441 can have severe consequences for affected WordPress websites and their users. Attackers can hijack administrator sessions, leading to full site compromise, data exfiltration, or the injection of additional malware. For regular users, XSS can facilitate phishing attacks, credential theft, or drive-by downloads. The integrity and reputation of the targeted organization can be significantly damaged due to defaced content or widespread malicious redirects. While specific victim counts are not available, the widespread use of WordPress and popular plugins like EventPrime means a large number of organizations across various sectors could be vulnerable, particularly those not maintaining timely updates or enabling guest submission features.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-13441 immediately by updating the EventPrime - Events Calendar, Bookings and Tickets plugin to a version greater than 4.3.4.2.</li>
<li>Enable comprehensive web server logging to capture full HTTP request details, including query strings and potentially POST bodies, to allow detection of XSS injection attempts.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-13441.</li>
<li>Review EventPrime's <code>Guest Submissions</code> setting (<code>allow_submission_by_anonymous_user</code>) and disable it if not strictly required, to mitigate the risk of unauthenticated exploitation of CVE-2026-13441.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>wordpress</category><category>xss</category><category>plugin</category></item></channel></rss>