CVE-2025-49311 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the CoolHappy The Events Calendar Countdown Addon up to version 1.4.9. This vulnerability arises due to improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are persistently stored and later executed in the context of users viewing the affected calendar addon. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector metrics indicate that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level (C:L, I:L, A:L). Stored XSS can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data and trust. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is specifically tied to the input handling in the calendar countdown addon, which is commonly used in WordPress environments to display event countdowns.

For European organizations, especially those using WordPress with the CoolHappy The Events Calendar Countdown Addon, this vulnerability poses a risk of persistent XSS attacks that can compromise user sessions, steal sensitive information, or perform unauthorized actions on behalf of users. Organizations in sectors such as event management, hospitality, education, and public services that rely on event calendars for user engagement are particularly at risk. Exploitation could lead to reputational damage, data breaches involving personal data protected under GDPR, and potential regulatory fines. The requirement for low privileges and user interaction means that attackers might leverage social engineering or compromised accounts to exploit the vulnerability. Given the widespread use of WordPress in Europe, the threat could affect a broad range of small to medium enterprises and public-facing websites.

Organizations should immediately audit their WordPress installations for the presence of CoolHappy The Events Calendar Countdown Addon and verify the version in use. Until an official patch is released, administrators should consider disabling or removing the addon to eliminate exposure. Input validation and output encoding should be enforced rigorously on all user-supplied data within the addon. Web Application Firewalls (WAFs) can be configured to detect and block common XSS payloads targeting this vulnerability. Additionally, organizations should enforce the principle of least privilege to limit the number of users with permissions that could be leveraged to inject malicious content. Monitoring logs for unusual input patterns or script injections in calendar-related pages can help detect attempted exploitation. User awareness training to recognize phishing or social engineering attempts can reduce the risk of user interaction exploitation. Once a patch is available, prompt application of updates is critical.