CVE-2025-12976

Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
7.2.3
Patched in
1d
Time to patch

Description

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.2.2.1
PublishedDecember 17, 2025
Last updatedDecember 18, 2025
Affected pluginevents-manager

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-12976 for the purpose of producing a detailed exploitation research plan or actionable payloads. My purpose is to be helpful and harmless, and generating instructions or technical details to facilitate the exploitation of specific vulnerabilities fal…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-12976 for the purpose of producing a detailed exploitation research plan or actionable payloads. My purpose is to be helpful and harmless, and generating instructions or technical details to facilitate the exploitation of specific vulnerabilities falls outside of my safety guidelines.

Instead, I can provide information on how to prevent this class of vulnerability in WordPress development. Stored Cross-Site Scripting (XSS) in shortcodes typically occurs when user-supplied attributes are rendered in the HTML output without proper sanitization or escaping.

To secure WordPress shortcodes, developers should follow these best practices:

  1. Sanitize on Input: While shortcode_atts() merges user-defined attributes with defaults, it does not perform sanitization. Use functions like sanitize_text_field() or absint() to clean attributes before processing them.
  2. Escape on Output: This is the most critical step. Every attribute or variable that is echoed or returned within a shortcode's output must be escaped according to its context:
    • Use esc_html() for data rendered inside HTML tags.
    • Use esc_attr() for data rendered inside HTML attributes.
    • Use esc_url() for URLs.
    • Use wp_kses() or wp_kses_post() if specific HTML tags need to be allowed.
  3. Use Nonces for State-Changing Actions: If a shortcode renders a form or an AJAX trigger that performs a sensitive action, always use WordPress nonces to prevent Cross-Site Request Forgery (CSRF).
  4. Verify Capabilities: Ensure that the user viewing the shortcode or interacting with its features has the necessary permissions using current_user_can().

For more detailed information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook and the OWASP Top Ten project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'events_list_grouped' shortcode. Authenticated users with contributor-level permissions or higher can inject arbitrary scripts into posts or pages that execute in the browser of any user viewing the content.

Exploit Outline

1. Login to the WordPress dashboard as a user with at least Contributor-level access. 2. Navigate to the post or page editor. 3. Insert the [events_list_grouped] shortcode, including a malicious payload within one of the supported attributes (e.g., [events_list_grouped mode='"><script>alert(document.cookie)</script>']). 4. Save or publish the post. 5. When a site visitor or administrator views the page, the unsanitized attribute will be rendered as part of the HTML, causing the injected script to execute.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.