CVE-2025-23610

High

Published: 22 January 2025

Published

22 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0034 57.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tehsmash Ultimate Events ultimate-events allows Reflected XSS.This issue affects Ultimate Events: from n/a through <= 1.3.3.

Security Summary

CVE-2025-23610 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Tehsmash Ultimate Events WordPress plugin (ultimate-events). This issue affects all versions from n/a through 1.3.3, as documented in the CVE published on 2025-01-22.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low attack complexity, no required privileges, but needing user interaction and resulting in a changed scope. Unauthenticated remote attackers can exploit it by tricking users into interacting with maliciously crafted input reflected in web pages, achieving low impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ultimate-events/vulnerability/wordpress-ultimate-events-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/ultimate-events/vulnerability/wordpress-ultimate-events-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com