CVE-2025-6975 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress developed by netweblogic. This vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'calendar_header' parameter, which is used during web page generation. Because the plugin fails to properly neutralize this input, an attacker can craft a malicious URL containing JavaScript code embedded in the 'calendar_header' parameter. When an unsuspecting user clicks this URL, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to malicious sites. The vulnerability affects all versions up to and including 7.0.3. It requires no authentication but does require user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity with no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with high user interaction or sensitive data. The vulnerability was published on July 9, 2025, and no patches or updates are currently linked, indicating a need for immediate attention from site administrators.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users, including administrators, potentially leading to unauthorized actions or data exposure. It can also facilitate phishing attacks by injecting malicious content or redirecting users to fraudulent sites. Although availability is not directly impacted, the loss of trust and potential data breaches can have severe reputational and financial consequences for organizations. Since the vulnerability is exploitable without authentication but requires user interaction, it can be leveraged in targeted spear-phishing campaigns or mass exploitation attempts. Organizations relying on this plugin for event management, ticketing, or booking services may face increased risk of customer data compromise and service abuse. The scope includes all WordPress sites using the vulnerable plugin versions, which can be substantial given WordPress's market share. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly once the vulnerability is public.

Site administrators should immediately verify if their WordPress installations use the Events Manager – Calendar, Bookings, Tickets, and more! plugin and identify the version. If running version 7.0.3 or earlier, they should seek updates or patches from the vendor as soon as they become available. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'calendar_header' parameter. Input validation and output encoding can be manually applied if feasible, though this requires development expertise. Additionally, administrators should educate users about the risks of clicking unsolicited links and implement Content Security Policy (CSP) headers to restrict script execution sources. Monitoring web server logs for unusual query parameters and user activity can help detect exploitation attempts. Regular backups and incident response plans should be updated to handle potential breaches. Finally, consider disabling or replacing the plugin with a more secure alternative if immediate patching is not possible.