CVE-2026-13441 in EventPrime Plugininfo

Summary

by MITRE • 07/09/2026

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The EventPrime WordPress plugin presents a critical stored cross-site scripting vulnerability that affects versions up to and including 4342. This flaw resides in the 'new_event_type_background_color' parameter handling within the plugin's event type creation functionality. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms, creating a persistent security weakness that allows malicious code execution. The flaw is particularly concerning because it operates at the core of the plugin's event management system where users can define background colors for different event types through the administrative interface.

The technical exploitation of this vulnerability requires authenticated access with custom-level privileges or higher, though the attack vector becomes more accessible when the Guest Submissions setting is enabled. When the allow_submission_by_anonymous_user parameter is active, unauthenticated attackers can submit malicious event type data through the frontend form, bypassing traditional authentication barriers. However, even without guest submissions enabled, a minimum subscriber-level authenticated account suffices for exploitation, demonstrating how this vulnerability can be leveraged across multiple privilege levels within WordPress environments. The stored nature of the XSS means that malicious scripts are permanently embedded within the plugin's data storage and executed whenever affected pages are accessed by any user.

The operational impact of this vulnerability extends beyond simple script execution as it creates potential for data theft, session hijacking, and further exploitation within the compromised WordPress environment. Attackers could craft malicious background color values that contain JavaScript payloads designed to steal cookies, redirect users to malicious sites, or perform other harmful actions against authenticated users. This vulnerability directly maps to CWE-79 which describes improper neutralization of input during web page generation, and aligns with ATT&CK technique T1566.002 for phishing with malicious attachments, as the XSS could be used to deliver additional malware payloads. The attack chain typically involves an attacker creating a malicious event type submission, having it approved or processed through the system, and then waiting for other users to view pages containing the compromised content.

Mitigation strategies should include immediate patching to the latest plugin version where this vulnerability has been addressed, along with thorough input validation and output escaping implementations. Administrators must disable guest submissions when not required and implement strict role-based access controls. Additionally, monitoring for suspicious event type submissions and implementing content security policies can provide defense-in-depth measures. The vulnerability highlights the importance of proper sanitization routines and demonstrates how seemingly innocuous parameters like color codes can become attack vectors when insufficiently validated and escaped within web applications. Regular security audits should verify that all user-supplied data undergoes appropriate sanitization before storage, particularly in plugins that handle rich text or formatting parameters where XSS vulnerabilities commonly occur.

Responsible

Wordfence

Reservation

06/26/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!