A high-severity vulnerability has been identified in the WP Event Manager plugin for WordPress. An attacker can exploit this flaw by injecting malicious code into the 'organizer name' field, which is then stored on the server and executed in the browsers of users viewing the event, potentially leading to account compromise, data theft, or website defacement.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An authenticated attacker can inject a malicious script (e.g., JavaScript) into the organizer_name parameter when creating or editing an event. The application fails to properly sanitize this input before storing it in the database. Consequently, when any user, including an administrator, views the page displaying the malicious organizer name, the script executes within their browser, inheriting their permissions and session context.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant business impacts, including the theft of sensitive user data such as session cookies, which could allow an attacker to hijack user and administrator accounts. This could result in unauthorized administrative actions, content modification, website defacement, or the installation of further malware. The reputational damage from a compromised website and the potential loss of customer trust pose a serious risk to the organization.

Immediate Action: Immediately update the "WP Event Manager" plugin to the latest version, which addresses this vulnerability. If the plugin is not critical to business operations, consider deactivating and uninstalling it to completely remove the associated attack surface.

Proactive Monitoring: Security teams should monitor web server and application logs for suspicious POST requests to event creation/management pages. Specifically, look for HTML or script tags (e.g., <script>, onerror, onload) within the organizer_name parameter data. Monitor for any unauthorized or unexpected content changes on the website.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rulesets designed to detect and block XSS attack patterns. Restrict permissions for creating or editing events to only highly trusted administrative users to limit the number of potential attackers.

Public Exploit Available: Information not available.

Given the high severity score (7.2) and the ease of exploitation, it is strongly recommended that organizations using the affected plugin apply the vendor-supplied update immediately. The risk of Stored XSS can lead to a full site compromise if an administrator's session is hijacked. Prioritize the patching of this vulnerability across all relevant WordPress instances to prevent potential data breaches and reputational harm.