CVE-2025-1410 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin Events Calendar Made Simple – Pie Calendar developed by apexws. The vulnerability exists in all versions up to and including 1.2.5 due to improper neutralization of user-supplied input within the plugin's piecal shortcode. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level permissions or higher. This flaw allows these users to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the affected page. The attack vector is remote over the network, with low complexity, requiring no user interaction beyond page access. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, perform actions on behalf of other users, or deface content. The scope is changed because the injected script affects other users beyond the attacker. Although no public exploits have been reported yet, the vulnerability poses a significant risk to websites using this plugin, especially those allowing contributor-level access to untrusted users. The CVSS v3.1 base score is 6.4, reflecting medium severity. No official patches have been linked yet, so mitigation relies on access control, input validation, and monitoring.

The primary impact of CVE-2025-1410 is the potential for stored XSS attacks that compromise the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, unauthorized actions performed with victim privileges, defacement, or distribution of malware. The vulnerability does not directly affect availability but can indirectly cause service disruption through defacement or administrative account compromise. Organizations relying on the Events Calendar Made Simple – Pie Calendar plugin risk data breaches, loss of user trust, and reputational damage. The medium severity score reflects the need for timely remediation, especially in environments with multiple contributors or where contributor accounts may be compromised. The scope change indicates that the impact extends beyond the attacker’s own privileges, affecting other users and potentially the entire site.

To mitigate CVE-2025-1410, organizations should immediately restrict contributor-level access to trusted users only, minimizing the risk of malicious input. Until an official patch is released, administrators can disable or remove the Events Calendar Made Simple – Pie Calendar plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the piecal shortcode can provide temporary protection. Site owners should audit existing content for injected scripts and remove any suspicious code. Encouraging the plugin vendor to release a patch with proper input sanitization and output escaping is critical. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual activity and educating contributors about safe content submission practices will further reduce risk.