CVE-2025-5144 is a stored Cross-Site Scripting (XSS) vulnerability identified in The Events Calendar plugin for WordPress, affecting all versions up to and including 6.13.2. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'data-date-*' parameters. These parameters are insufficiently sanitized and escaped, allowing an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits in the wild have been reported yet, and no official patches are currently linked. The vulnerability is categorized under CWE-79, which relates to improper neutralization of input leading to XSS attacks.

For European organizations using WordPress websites with The Events Calendar plugin, this vulnerability poses a significant risk. Stored XSS can be exploited to steal user credentials, including those of administrators, or to perform actions on behalf of users without their consent. This can lead to unauthorized access to sensitive data, defacement of websites, or distribution of malware to visitors. Given the widespread use of WordPress and The Events Calendar plugin across various sectors in Europe—including government, education, and commerce—the potential for reputational damage and regulatory non-compliance (e.g., GDPR violations due to data breaches) is considerable. The requirement for Contributor-level access means that attackers must have some level of authenticated access, which could be obtained through phishing or credential stuffing attacks. The ability to affect multiple users through stored scripts increases the attack's impact. Additionally, the changed scope indicates that the vulnerability could compromise components beyond the plugin itself, potentially affecting the entire WordPress installation and its data integrity.

European organizations should immediately audit their WordPress installations to identify the presence of The Events Calendar plugin and verify the version in use. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles and permissions regularly to minimize the risk of unauthorized access. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting 'data-date-*' parameters. 3) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4) Monitor logs for unusual activity related to the plugin's parameters and user inputs. 5) Consider temporarily disabling or removing The Events Calendar plugin if feasible, especially on high-risk or critical websites. 6) Educate users with Contributor or higher roles about phishing and credential security to prevent account compromise. 7) Prepare to apply official patches promptly once available and test updates in a staging environment before production deployment.