CVE-2025-5144: 
WordPress vulnerability analysis and mitigation

The Events Calendar plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-5144, discovered and disclosed on June 11, 2025. The vulnerability affects all versions up to and including 6.13.2 of the plugin. This security issue is present in the plugin's handling of 'data-date-*' parameters (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'data-date-*' parameters in the bootstrap-datepicker component. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to data theft, session hijacking, or other client-side attacks (Wiz).

A patch has been released in version 6.13.2.1 of The Events Calendar plugin. Site administrators are advised to update to this version or later to address the vulnerability (Wiz).