CVE-2025-5144
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into website pages through the Events Calendar plugin. The scripts execute automatically when other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using The Events Calendar plugin versions up to 6.13.2 are affected.
💻 Affected Systems
- The Events Calendar WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or deface the website with unwanted content.
If Mitigated
With proper input validation and output escaping, the attack would fail to execute scripts, limiting impact to harmless HTML display issues.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.13.3 or later
Vendor Advisory: https://wordpress.org/plugins/the-events-calendar/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Events Calendar' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.13.3+ from WordPress.org and manually replace plugin files.
🔧 Temporary Workarounds
Temporary Input Sanitization
allAdd custom input sanitization for 'data-date-*' parameters in WordPress theme functions
Add to theme's functions.php: add_filter('the_content', 'sanitize_custom_params'); function sanitize_custom_params($content) { return preg_replace('/data-date-[^=]*="[^"]*"/', '', $content); }
🧯 If You Can't Patch
- Restrict user roles: Remove Contributor access or higher from untrusted users
- Implement Web Application Firewall (WAF) rules to block suspicious 'data-date-*' parameter patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → The Events Calendar → Version number. If version is 6.13.2 or lower, you are vulnerable.Check Version:
wp plugin get the-events-calendar --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify version shows 6.13.3 or higher in WordPress plugins list. Test by attempting to inject simple alert script via Contributor account (in test environment only).📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing 'data-date-' parameters with script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- HTTP requests with suspicious 'data-date-*' parameters containing JavaScript payloads
SIEM Query:
source="wordpress.log" AND ("data-date-" AND ("script" OR "javascript:" OR "onerror="))🔗 References
- https://bootstrap-datepicker.readthedocs.io/en/latest/index.html#data-api
- https://github.com/uxsolutions/bootstrap-datepicker/blob/master/js/bootstrap-datepicker.js#L131
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.12.0.1/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.13.0/vendor/bootstrap-datepicker/js/bootstrap-datepicker.min.js
- https://plugins.trac.wordpress.org/changeset/3307301/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/56822fe5-352c-4269-9fab-d8c796362b74?source=cve
