EventPrime WordPress Plugin Stored Cross-Site Scripting Vulnerability
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_event_type_background_color' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the plugin's Guest Submissions setting (allow_submission_by_anonymous_user) to be enabled, which allows unauthenticated attackers to submit event types via the frontend form; when that setting is disabled, exploitation requires at minimum a subscriber-level authenticated account.
Quick answer
EventPrime should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- EventPrime up to and including 4.3.4.2
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
EventPrime up to and including 4.3.4.2 is affected by CVE-2026-13441. The plugin can store untrusted script through event type color input when the vulnerable submission workflow is reachable, so public sites should patch and review stored event data.
- Inventory WordPress sites using EventPrime.
- Update EventPrime beyond 4.3.4.2 when the vendor publishes a fixed release.
- Disable guest submissions or restrict event type creation until the site is patched.
- Review event type fields, especially color/background parameters, for script payloads or encoded HTML.
- Remove malicious event records and purge page, object, and CDN caches.
- Apply a Content Security Policy that reduces the impact of stored script where compatible with the site.
- Review administrator sessions and user accounts if a privileged user viewed affected event pages.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm EventPrime is no longer version 4.3.4.2 or older.
- Submit safe HTML/script-like input in staging and confirm it is rejected or escaped on output.
- Open previously affected event pages and confirm no stored script executes.
- Check browser console and response HTML for unescaped injected parameters.
- Run a Fixnx scan to recheck public event and WordPress exposure.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-13441?
EventPrime versions listed as affected should be reviewed: EventPrime up to and including 4.3.4.2.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
