CVE-2025-5801 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Digital Events Calendar WordPress plugin developed by rejuancse. This vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of the 'column' parameter. The flaw exists in all versions up to and including 1.0.8. An authenticated attacker with Contributor-level privileges or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting its medium severity, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable module. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in June 2025 and published in September 2025. This vulnerability is categorized under CWE-79, which is a common web application security weakness related to Cross-Site Scripting.

For European organizations using WordPress sites with the Digital Events Calendar plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Since exploitation requires only Contributor-level access, which is a relatively low privilege level often granted to trusted users or external content contributors, the attack surface is broader than vulnerabilities requiring administrative privileges. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This could damage organizational reputation, lead to data breaches involving personal or sensitive information, and potentially violate GDPR regulations concerning data protection and breach notification. The scope change in the CVSS vector suggests that the vulnerability may affect multiple components or users beyond the initial compromised account, increasing the potential impact. The absence of known exploits in the wild provides a window for mitigation before widespread attacks occur. However, given the popularity of WordPress in Europe and the frequent use of event calendar plugins for public-facing websites, the risk remains material, especially for sectors such as education, public administration, and event management that rely heavily on such plugins.

European organizations should immediately audit their WordPress installations to identify the presence of the Digital Events Calendar plugin and verify its version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review existing user roles to minimize unnecessary privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'column' parameter, focusing on script tags or JavaScript event handlers. 3) Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of injected scripts. 4) Monitor logs for unusual activity or unexpected changes in pages generated by the plugin. 5) If feasible, temporarily disable or replace the Digital Events Calendar plugin with alternative calendar solutions that are not vulnerable. 6) Stay alert for official patches or updates from the vendor and apply them promptly once available. 7) Educate content contributors about safe input practices and the risks of injecting untrusted content. These targeted actions go beyond generic advice by focusing on access control, input filtering, and containment strategies specific to this vulnerability's exploitation vector.