CVE-2025-2799 identifies a stored cross-site scripting (XSS) vulnerability in the WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress, affecting all versions up to and including 3.1.49. The vulnerability stems from insufficient sanitization and escaping of the 'tag-name' parameter during web page generation, classified under CWE-79. This flaw allows authenticated attackers with administrator-level privileges to inject arbitrary JavaScript code into pages. These scripts execute in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, restricting its scope. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring privileges but no user interaction. No public exploits have been reported yet, but the vulnerability poses a risk due to the high privileges required and the potential impact on confidentiality and integrity of site data. The vulnerability was reserved in March 2025 and published in July 2025, with Wordfence as the assigner. No official patches or fixes have been linked yet, emphasizing the need for immediate mitigation steps by affected users.

The primary impact of this vulnerability is on the confidentiality and integrity of data within affected WordPress sites. An attacker with administrator access can inject malicious scripts that execute in the browsers of users visiting the infected pages, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. Although availability is not directly impacted, the trustworthiness and security posture of the affected websites are compromised. Organizations relying on multi-site WordPress installations with this plugin are at risk of targeted attacks, especially if they manage sensitive event data or e-commerce transactions via WooCommerce integration. The requirement for administrator privileges limits the attack surface but also means that insider threats or compromised admin accounts could lead to exploitation. The medium CVSS score reflects moderate risk, but the potential for lateral movement and data exfiltration makes this a significant concern for organizations with high-value web assets.

To mitigate this vulnerability, organizations should first verify if they operate multi-site WordPress installations or have unfiltered_html disabled, as these conditions are necessary for exploitation. Immediate steps include restricting administrator access to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Administrators should monitor and audit plugin usage and input fields related to 'tag-name' parameters for suspicious activity. Applying strict input validation and output encoding at the application level can help prevent script injection. Until an official patch is released, consider disabling or removing the WP Event Manager plugin if feasible, or isolating affected sites to limit exposure. Regular backups and incident response plans should be updated to address potential XSS exploitation. Additionally, security teams should stay alert for updates from the vendor and apply patches promptly once available. Employing web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'tag-name' parameter can provide interim protection.