CVE-2025-63064 is a stored Cross-site Scripting (XSS) vulnerability identified in the ashanjay EventON plugin, a popular WordPress event calendar solution. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be injected and stored persistently within event data. When other users or administrators view the affected event pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the context of the victim’s session. The vulnerability affects all versions of EventON up to and including 4.9.12. According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L), the attack can be launched remotely over the network with low attack complexity, requiring the attacker to have low privileges (e.g., authenticated user) and some user interaction (e.g., victim viewing the malicious event). The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability losses, consistent with typical stored XSS risks. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a credible threat. The plugin’s widespread use in WordPress sites for event management makes it a significant target for attackers aiming to compromise web applications and their users.

For European organizations, the impact of CVE-2025-63064 can be significant, especially for those relying on EventON for managing public-facing event calendars or internal event scheduling. Exploitation could allow attackers to execute arbitrary JavaScript in the browsers of site visitors or administrators, leading to session hijacking, theft of sensitive information, or unauthorized actions such as modifying event data or injecting further malicious content. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Organizations in sectors with frequent public events, such as cultural institutions, universities, and conference organizers, are particularly at risk. Additionally, since the vulnerability requires low privileges but user interaction, phishing or social engineering could be used to increase exploitation success. The medium severity rating reflects that while the vulnerability is not critical, it still poses a meaningful risk to confidentiality, integrity, and availability of web applications and user data.

1. Monitor for and apply official patches or updates from the ashanjay EventON plugin vendor as soon as they are released to remediate the vulnerability. 2. Until patches are available, implement strict input validation and sanitization on all user-supplied data fields related to event creation and editing to prevent injection of malicious scripts. 3. Employ output encoding techniques to neutralize any potentially dangerous characters before rendering event data on web pages. 4. Configure Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Limit plugin user privileges to the minimum necessary to reduce the risk of malicious input from authenticated users. 6. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 7. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content within event pages. 8. Use web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting EventON or similar plugins.