CVE-2025-26536
Published: 26 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26536 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Yendif Player Another Events Calendar WordPress plugin (another-events-calendar). The issue impacts all versions from n/a through 1.7.0 inclusive, as published on 2025-03-26.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and user interaction, such as clicking a malicious link. Exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability, such as executing scripts in the victim's browser context to steal session data or manipulate page content.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/another-events-calendar/vulnerability/wordpress-another-events-calendar-plugin-1-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS vulnerability in the Another Events Calendar plugin version 1.7.0, providing guidance for practitioners on associated risks and potential mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables delivery via crafted malicious links requiring user click (T1204.001) and execution of scripts to steal session data/cookies (T1539).