CVE-2025-58623: 
WordPress vulnerability analysis and mitigation

The Event Feed for Eventbrite plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-58623) affecting versions up to and including 1.3.2. The vulnerability was discovered by Muhammad Yudha - DJ and publicly disclosed on September 3, 2025. This security issue affects WordPress installations using the vulnerable plugin versions (Rapid7 DB, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) with a CVSS v3.1 Base Score of 6.5 (Medium). The attack vector is network-based, with low attack complexity, requiring low privileges and user interaction. The vulnerability has a changed scope with low impact on confidentiality, integrity, and availability (AttackerKB).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site defacement (Rapid7 DB).

The vulnerability has been fixed in version 1.4.0 of the Event Feed for Eventbrite plugin. Site administrators are advised to update to version 1.4.0 or later to remove the vulnerability (Patchstack).