CVE-2025-2800: 
WordPress vulnerability analysis and mitigation

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2800) discovered on July 15, 2025. The vulnerability affects all versions up to and including 3.1.50, allowing unauthenticated attackers to inject arbitrary web scripts via the 'organizer_name' parameter (NVD Database).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST and 7.2 (HIGH) from Wordfence. The vulnerability stems from insufficient input sanitization and output escaping in the organizer_name parameter, which allows attackers to inject malicious scripts that execute when users access the affected pages (NVD Database, Rapid7).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. This can lead to potential compromise of user data and session information for visitors accessing the affected pages (NVD Database).

A patch has been released to address this vulnerability. Users are advised to update their WP Event Manager plugin to a version newer than 3.1.50 (NVD Database).