Security Alert Summary
The Event Organiser plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 3.12.9. The eo_events shortcode accepts attacker-controlled no_events content and renders it without output escaping in event list templates. Authenticated users with Contributor-level access or higher can inject scripts that execute when an affected page is viewed.
CVE Details
- CVE ID: CVE-2026-2387
- Affected component: Event Organiser plugin for WordPress
- Affected versions: All versions up to and including 3.12.9
- Published: July 1, 2026 at 05:16:19 AM UTC
- Last modified: July 1, 2026 at 01:56:17 PM UTC
- CVSS v3.1 base score: 6.4 (MEDIUM)
- CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Contributor-level or higher). No user interaction is required for the injected payload to execute when a page is viewed.
- Primary impact:
- Confidentiality: Low
- Integrity: Low
- Availability: None
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The vulnerability is a stored Cross-Site Scripting (XSS) issue caused by the eo_events shortcode accepting attacker-controlled content via the no_events parameter and rendering that content inside event list templates without proper output escaping. Because the plugin outputs the supplied no_events content directly into page templates, an attacker who can supply that content can persistently store script code that will run in the browser of any user who visits the affected page.
The CVE description specifically notes the absence of output escaping when rendering no_events. No additional functions or REST endpoints are named in the provided data. The practical effect is that malicious script injected via the shortcode will execute in the security context of site visitors and authenticated users who view the injected page.
How This Could Impact Your Website
In a typical WordPress setup, multiple users interact with the site: the site owner and administrators, internal staff such as editors, and external contractors or contributors who may have lower-privilege accounts. Because this vulnerability can be exploited by any authenticated user with Contributor-level access or higher, an external contractor or a contributor account could be used to inject script into event pages.
Practical consequences include exposure of internal information visible in the browser (for example, email addresses shown in the page or accessible via scripts), session data or tokens accessible to scripts in some configurations, and an increased risk of targeted phishing or social engineering against site staff and subscribers who visit the affected pages. The CVSS scope is listed as Changed, indicating the impact can extend beyond the plugin code to affect other components or user contexts.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor-level accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and access logs for unusual behavior, particularly changes to event pages or shortcodes.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.