Skip to main content
CVE Vulnerability Database

CVE-2025-6975: Pixelite Events Manager XSS Vulnerability

CVE-2025-6975 is a reflected cross-site scripting flaw in Pixelite Events Manager for WordPress that allows attackers to inject malicious scripts. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-6975 Overview

CVE-2025-6975 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress. The flaw affects all versions up to and including 7.0.3. The vulnerability exists in the calendar_header parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when a victim clicks a crafted link. The vulnerability is classified as [CWE-79] Improper Neutralization of Input During Web Page Generation.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in a victim's browser session, enabling session hijacking, credential theft, and unauthorized actions on behalf of authenticated users including administrators.

Affected Products

  • Pixelite Events Manager plugin for WordPress (all versions up to and including 7.0.3)
  • WordPress sites using the events-manager plugin
  • Vulnerable template file: templates/calendar/section-header-navigation.php

Discovery Timeline

  • 2025-07-09 - CVE-2025-6975 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6975

Vulnerability Analysis

The vulnerability resides in the calendar section header navigation template of the Events Manager plugin. The calendar_header parameter accepts user-supplied input from HTTP requests and reflects it into the rendered HTML response. The plugin fails to sanitize this input on ingress and does not escape it on output. This allows an attacker to inject arbitrary HTML and JavaScript payloads. Because the injected content is reflected in the response, exploitation requires social engineering to trick a victim into clicking a crafted URL. The scope change component of the vulnerability indicates the injected script can affect resources beyond the initial vulnerable component, such as other cookies or the DOM of the parent page.

Root Cause

The root cause is missing input validation and output escaping in the section-header-navigation.php template file. The calendar_header parameter value is written directly into the HTML output without applying WordPress escaping functions such as esc_attr(), esc_html(), or wp_kses(). This violates secure coding practices for handling user-controlled data in WordPress themes and plugins.

Attack Vector

An unauthenticated remote attacker crafts a URL containing a malicious payload in the calendar_header parameter and delivers it to a target via phishing email, social media, or a malicious website. When the victim clicks the link, the payload reflects into the response and executes in the victim's browser under the origin of the vulnerable WordPress site. If the victim is an authenticated administrator, the attacker can perform privileged actions such as creating new admin accounts, modifying plugin settings, or exfiltrating session cookies.

The vulnerability manifests when the calendar_header query parameter is echoed into the calendar navigation section without sanitization. Refer to the vulnerable WordPress template file and the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2025-6975

Indicators of Compromise

  • HTTP requests containing suspicious payloads in the calendar_header query parameter, particularly containing <script>, javascript:, or HTML event handler strings such as onerror= and onload=
  • Web server access logs showing GET requests to calendar-related endpoints with URL-encoded script tags
  • Unexpected outbound requests from user browsers to attacker-controlled domains following a visit to the WordPress site
  • Creation of unauthorized administrator accounts or unexpected plugin/theme changes shortly after suspicious traffic

Detection Strategies

  • Inspect web application firewall (WAF) logs for reflected XSS signatures targeting the calendar_header parameter
  • Deploy content security policy (CSP) violation reporting to identify script injection attempts
  • Correlate referrer headers with external phishing infrastructure targeting WordPress admin users

Monitoring Recommendations

  • Monitor WordPress access logs for anomalous query strings on pages rendered by the Events Manager plugin
  • Alert on administrator session activity originating from unusual geographic locations or IP addresses following link clicks
  • Track WordPress audit logs for unexpected user role changes, plugin installations, or configuration modifications

How to Mitigate CVE-2025-6975

Immediate Actions Required

  • Update the Events Manager plugin to a version newer than 7.0.3 that includes the fix from WordPress Changeset #3321403
  • Audit WordPress administrator and editor accounts for unauthorized creations or privilege changes
  • Invalidate active administrator sessions and force password resets if suspicious activity is detected
  • Enable multi-factor authentication for all privileged WordPress accounts to limit the impact of stolen session cookies

Patch Information

The vendor addressed the vulnerability in WordPress Changeset #3321403. Site administrators should apply the update through the WordPress plugin dashboard or via WP-CLI. Verify the installed version is greater than 7.0.3 after updating.

Workarounds

  • If patching is not immediately possible, deactivate the Events Manager plugin until an updated version can be installed
  • Deploy a WAF rule to block requests containing script tags or JavaScript event handlers in the calendar_header parameter
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
bash
# Update Events Manager plugin via WP-CLI
wp plugin update events-manager

# Verify installed version is patched
wp plugin get events-manager --field=version

# Example WAF rule (ModSecurity) to block reflected XSS on calendar_header
SecRule ARGS:calendar_header "@rx (?i)(<script|javascript:|onerror=|onload=)" \
    "id:1006975,phase:2,deny,status:403,msg:'CVE-2025-6975 XSS attempt on calendar_header'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.