CVE-2025-1410: 
WordPress vulnerability analysis and mitigation

The Events Calendar Made Simple – Pie Calendar plugin for WordPress (version <= 1.2.5) contains a Stored Cross-Site Scripting vulnerability via the plugin's piecal shortcode. The vulnerability was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on February 20, 2025, with the last update on February 21, 2025 (Wordfence Intel).

The vulnerability has been assigned a CVSS score of 6.4 (Medium severity). The issue allows authenticated users with contributor-level access to inject malicious JavaScript code through the piecal shortcode attribute. This vulnerability affects the locale attribute of the shortcode specifically, which could lead to the execution of arbitrary JavaScript code (Wordfence Intel).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (Wordfence Intel).

The vulnerability has been patched in version 1.2.6 of the plugin. Site administrators are strongly advised to update to this version immediately. The update prevents the execution of JavaScript in the locale attribute of the [piecal] shortcode (WordPress Plugin).