CVE-2024-9864 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. This vulnerability exists in all versions up to and including 4.0.4.7 due to improper neutralization of input during web page generation. Specifically, the plugin fails to adequately sanitize and escape ticket name inputs submitted by front-end users when creating new events. As a result, an unauthenticated attacker can inject arbitrary JavaScript code into ticket names, which is then stored and rendered on event pages viewed by other users. This persistent XSS can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s browser. The vulnerability is exploitable remotely without authentication but requires that the attacker can submit new events with tickets on the front end, which may be restricted depending on site configuration. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed and a scope change affecting confidentiality and integrity. No patches or known exploits are currently available, but the flaw poses a significant risk to websites using this plugin, especially those allowing public event submissions.

The primary impact of CVE-2024-9864 is on the confidentiality and integrity of user data and sessions on affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, potentially leading to theft of session cookies, credentials, or other sensitive information. This can facilitate account takeover, unauthorized actions such as posting or modifying content, and distribution of malware via injected scripts. Although availability is not directly affected, the reputational damage and user trust erosion can be significant. Organizations relying on EventPrime for event management, especially those permitting front-end event submissions, face increased risk of targeted attacks or automated exploitation attempts. The vulnerability could be leveraged in phishing campaigns or combined with other attacks to escalate privileges or move laterally within compromised environments.

To mitigate CVE-2024-9864, organizations should first check for and apply any official patches or updates from the plugin vendor once available. Until a patch is released, administrators should restrict or disable front-end event submissions if feasible, preventing unauthenticated users from adding events with tickets. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns in ticket names can reduce exploitation risk. Additionally, site owners should enforce strict Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly auditing and sanitizing user-generated content, combined with security-focused code reviews of plugin components, can help identify and remediate similar issues. Monitoring logs for unusual activity related to event submissions and user sessions is also recommended. Finally, educating users about the risks of XSS and encouraging use of security plugins that harden WordPress installations will improve overall resilience.