CVE-2025-12976 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Events Manager – Calendar, Bookings, Tickets, and more!' developed by netweblogic. This vulnerability exists in all plugin versions up to and including 7.2.2.1. The root cause is insufficient input sanitization and output escaping in the 'events_list_grouped' shortcode, which processes user-supplied attributes. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially affecting administrators, editors, and site visitors. The vulnerability's CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating it can be exploited remotely over the network with low complexity, requires privileges but no user interaction, and impacts confidentiality and integrity with a scope change. While no public exploits have been reported yet, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of patch links suggests a fix may not yet be available, underscoring the need for immediate mitigation steps.

The exploitation of this stored XSS vulnerability can lead to several adverse impacts on affected organizations. Attackers can execute arbitrary scripts in the context of the vulnerable website, potentially stealing session cookies, leading to account takeover or privilege escalation. This can compromise the confidentiality of user data and the integrity of site content. Attackers might also deface websites or redirect users to malicious sites, damaging organizational reputation and user trust. Since the vulnerability affects a popular WordPress plugin, many websites globally could be at risk, especially those with multiple contributors who can inject content. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, amplifying the potential damage. Although availability is not impacted, the loss of confidentiality and integrity can have serious consequences, including regulatory compliance violations and financial losses.

Organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'Events Manager – Calendar, Bookings, Tickets, and more!' plugin. Until an official patch is released, administrators should restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode attributes can provide interim protection. Site owners should also enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly monitoring site content for unexpected script tags or changes can help detect exploitation attempts early. Once a patch becomes available, prompt updating of the plugin is critical. Additionally, educating contributors about safe content practices and input validation can reduce the risk of accidental injection.