CVE-2025-1410 – This stored XSS vulnerability in the Pie Calend... (How to Fix)

Q: What is the severity of CVE-2025-1410?

CVE-2025-1410 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the Pie Calendar WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Pie Calendar version 1.2.5 or earlier are affected.

📋 TL;DR

This stored XSS vulnerability in the Pie Calendar WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Pie Calendar version 1.2.5 or earlier are affected.

💻 Affected Systems

Products:

Events Calendar Made Simple - Pie Calendar WordPress Plugin

Versions: All versions up to and including 1.2.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Pie Calendar plugin enabled and at least one user with contributor-level access.

📦 What is this software?

Pie Calendar by Jonathanjernigan

View all CVEs affecting Pie Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal user session cookies or credentials when visitors load affected pages.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to isolated script execution without data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once attacker has contributor credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3243992/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Events Calendar Made Simple - Pie Calendar'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.6 from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Pie Calendar Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate pie-calendar

Restrict Contributor Access

linux

Temporarily remove contributor-level access for untrusted users

wp user list --role=contributor --field=ID | xargs wp user set-role subscriber

🧯 If You Can't Patch

Remove contributor and author roles from untrusted users
Implement Content Security Policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Pie Calendar version 1.2.5 or earlier

Check Version:

wp plugin get pie-calendar --field=version

Verify Fix Applied:

Verify Pie Calendar plugin version shows 1.2.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual post/page edits by contributor users
Suspicious shortcode modifications containing script tags

Network Indicators:

Unexpected external script loads from WordPress pages
Suspicious outbound connections from user browsers

SIEM Query:

source="wordpress" AND (event="post_modified" OR event="plugin_updated") AND plugin="pie-calendar"

📊 Metadata

CVE ID: CVE-2025-1410

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: February 21, 2025

Last Updated: February 25, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3243992/ Patch
https://wordpress.org/plugins/pie-calendar/#developers Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/fcaea2fb-ebf8-49b4-8cd5-0d9208252a90?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1410, you might also want to check these: