CVE-2026-13441
Last modified
CVE-2026-13441 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Description
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| metagauss | EventPrime – Events Calendar, Bookings and Tickets | <= 4.3.4.2 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13441?
How severe is CVE-2026-13441?
How do I fix CVE-2026-13441?
Related CVEs from 2026
- CVE-2026-13426The Mattermost Go module github.com/mattermost/mattermost/se…5.4
- CVE-2026-1343IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.2
- CVE-2026-13430The Post Export Import with Media plugin for WordPress is vu…7.2
- CVE-2026-13434A flaw was found in KubeVirt's network annotation generator.…4.9
- CVE-2026-13437Insertion of sensitive information into sent data in the AI …6.5
- CVE-2026-1344Tanium addressed an insecure file permissions vulnerability …5.5
- CVE-2026-13443The Tutor LMS – eLearning and online course solution plugin …6.4
- CVE-2026-13449IBM Business Automation Manager Open Editions 9.0.0 through …9.1
- CVE-2026-1345IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.3
- CVE-2026-13450The GamiPress – Gamification plugin to reward points, achiev…5.3
- CVE-2026-13454The MotoPress Appointment Booking plugin for WordPress is vu…6.5
- CVE-2026-13455PostgreSQL Anonymizer contains a vulnerability that allows u…4.3
Are you affected by CVE-2026-13441?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
