highCVE-2026-13441

EventPrime WordPress Plugin Stored Cross-Site Scripting Vulnerability

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.

ProductEventPrime
CVSS7.2
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

EventPrime should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • EventPrime up to and including 4.3.4.2

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

EventPrime up to and including 4.3.4.2 is affected by CVE-2026-13441. The plugin can store untrusted script through event type color input when the vulnerable submission workflow is reachable, so public sites should patch and review stored event data.

  1. Inventory WordPress sites using EventPrime.
  2. Update EventPrime beyond 4.3.4.2 when the vendor publishes a fixed release.
  3. Disable guest submissions or restrict event type creation until the site is patched.
  4. Review event type fields, especially color/background parameters, for script payloads or encoded HTML.
  5. Remove malicious event records and purge page, object, and CDN caches.
  6. Apply a Content Security Policy that reduces the impact of stored script where compatible with the site.
  7. Review administrator sessions and user accounts if a privileged user viewed affected event pages.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm EventPrime is no longer version 4.3.4.2 or older.
  • Submit safe HTML/script-like input in staging and confirm it is rejected or escaped on output.
  • Open previously affected event pages and confirm no stored script executes.
  • Check browser console and response HTML for unescaped injected parameters.
  • Run a Fixnx scan to recheck public event and WordPress exposure.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-13441?

EventPrime versions listed as affected should be reviewed: EventPrime up to and including 4.3.4.2.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.