A high-severity vulnerability has been identified in the Community Events plugin for WordPress, allowing for a Stored Cross-Site Scripting (XSS) attack. An attacker can inject malicious code into the event details, which then executes in the web browsers of anyone viewing the event, potentially leading to the theft of user credentials, session hijacking, or website defacement. Organizations using this plugin are at risk of user account compromise and reputational damage.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the "event details" parameter of the Community Events plugin. The application fails to properly sanitize user-supplied input when an event is created or updated. An authenticated attacker, potentially with low-level privileges, can submit a malicious script (e.g., JavaScript) in the event details field, which is then stored in the website's database. When any user, including administrators, views the compromised event page, the malicious script is served by the website and executed within their browser, operating under the security context of the vulnerable site.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant negative business impacts. An attacker could hijack user and administrator sessions by stealing session cookies, allowing them to perform actions on behalf of the compromised user, potentially leading to full site takeover. Other risks include the theft of sensitive personal data, redirection of users to phishing or malware sites, unauthorized content modification, and significant reputational damage to the organization.

Immediate Action:

• Identify all WordPress instances utilizing the "Community Events" plugin.
• Update the plugin to the latest patched version immediately. If a patch is not yet available, disable the plugin until one is released.
• If the plugin is not essential for business operations, review its necessity and consider deactivating and removing it to reduce the attack surface.

Proactive Monitoring:

• Review web server access logs for suspicious POST requests to event creation/editing pages, specifically looking for payloads containing HTML script tags (<script>, <img>, onerror, etc.).
• Monitor for unusual outbound connections from client browsers after they have visited event pages on the site.
• Implement and monitor a Content Security Policy (CSP) to report and block unauthorized script execution attempts.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block XSS attack patterns.
• Temporarily restrict permissions for creating and editing events to only highly trusted administrators.
• Manually audit existing event details content for any suspicious scripts and sanitize the database entries.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and its potential for session hijacking and website compromise, we recommend immediate action. Organizations must prioritize patching all internet-facing WordPress sites running the affected "Community Events" plugin. Although this vulnerability is not currently on the CISA KEV list, the popularity of WordPress makes it a prime target for opportunistic attackers, and proactive remediation is critical to prevent exploitation.