CVE-2025-9875 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting the Event Tickets, RSVPs, Calendar plugin for WordPress, developed by ticketspot. The vulnerability exists in all versions up to and including 1.0.2 due to improper neutralization of input during web page generation. Specifically, the plugin's 'ticket_spot' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When other users access pages containing the injected shortcode, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as session hijacking, credential theft, or content manipulation. The vulnerability requires authentication but no additional user interaction beyond page viewing. The CVSS v3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was reserved on September 2, 2025, and published on October 3, 2025.

The impact of CVE-2025-9875 is primarily on the confidentiality and integrity of affected WordPress sites using the Event Tickets, RSVPs, Calendar plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and defacement or redirection to malicious sites. Although availability is not directly impacted, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin for event management may face increased risk of targeted attacks, especially if contributor accounts are compromised or misused. The requirement for authenticated access limits exploitation to insiders or attackers who have breached lower-level accounts, but the widespread use of WordPress and this plugin increases the attack surface. Without timely remediation, attackers could leverage this vulnerability to escalate privileges or move laterally within affected environments.

To mitigate CVE-2025-9875, organizations should first check for updates or patches from the ticketspot plugin developers and apply them immediately once available. In the absence of official patches, administrators should restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the 'ticket_spot' shortcode parameters can reduce risk. Additionally, site administrators can manually sanitize and escape user inputs in the shortcode if custom development resources are available. Monitoring logs for unusual shortcode usage or script injections can help detect exploitation attempts early. Educating users about the risks of XSS and enforcing strong authentication and session management practices will further reduce impact. Finally, consider disabling or replacing the vulnerable plugin with a more secure alternative until a fix is released.