CVE-2020-26153: 
WordPress vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Event Espresso Core WordPress plugin, identified as CVE-2020-26153. The vulnerability affects versions before 4.10.7.p and was disclosed on July 13, 2021. The vulnerability exists in the file wp-content/plugins/event-espresso-core-reg/adminpages/messages/templates/eemsgadminoverview.template.php, allowing remote attackers to inject arbitrary web script or HTML via the page parameter (NVD).

The vulnerability stems from improper input validation where the plugin accepts user input from the page URL parameter and outputs it directly within the response without escaping HTML characters. The vulnerability was found in a template file that was not intended to be called directly, but there were no controls limiting unauthenticated users from accessing it. The severity of this vulnerability is rated as MEDIUM with a CVSS v3.1 Base Score of 6.1 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD, Nettitude Labs).

The vulnerability allows attackers to inject malicious JavaScript and HTML through specially crafted GET requests. This could potentially lead to the execution of arbitrary web scripts or HTML in the context of the user's browser session (Nettitude Labs).

The vulnerability has been patched in Event Espresso Core version 4.10.7.p. Users are advised to upgrade to this version or later to protect against this vulnerability (NVD).