CVE-2024-7982: 
WordPress vulnerability analysis and mitigation

The Registrations for the Events Calendar WordPress plugin before version 2.12.4 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and publicly disclosed on October 18, 2024. The issue affects the event registration functionality where the plugin fails to properly sanitize and escape certain parameters when processing event registrations (WPScan, NVD).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating a severe security risk (NVD).

This vulnerability allows unauthenticated users to inject malicious scripts through event registration parameters. When administrators view or edit these registrations in the WordPress admin panel, the malicious scripts can execute, potentially leading to unauthorized access to sensitive information or manipulation of admin functions (WPScan).

The vulnerability has been patched in version 2.12.4 of the Registrations for the Events Calendar plugin. Site administrators are strongly advised to update to this version or later to protect against potential XSS attacks (WPScan).