CVE-2025-46228: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Bastien Ho Event post plugin affecting versions through 5.9.11. The vulnerability was discovered by astra.r3verii on March 20, 2025, and publicly disclosed on April 22, 2025. This DOM-Based XSS vulnerability affects the WordPress Event post plugin (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow an attacker to inject malicious scripts, which may lead to the execution of arbitrary code when users visit the affected pages. This could potentially result in unauthorized access to sensitive information, session hijacking, or other malicious activities (Patchstack).

Users are advised to update to Event post version 5.10.0 or later, which contains the fix for this vulnerability. The issue has been patched in the latest release (Patchstack).