CVE-2024-8493: The Events Calendar < 6.6.4 - Admin+ Stored XSS
First published: Thu May 15 2025(Updated: )
The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| The Events Calendar | <6.6.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-8493?
CVE-2024-8493 has a severity rating that indicates it poses a risk of Stored Cross-Site Scripting attacks due to insufficient sanitization.
How do I fix CVE-2024-8493?
To fix CVE-2024-8493, update the Events Calendar WordPress plugin to version 6.6.4 or later.
Who is affected by CVE-2024-8493?
CVE-2024-8493 affects instances of the Events Calendar WordPress plugin prior to version 6.6.4, particularly in environments where high privilege users, like admins, can exploit the vulnerability.
What kind of attacks can CVE-2024-8493 allow?
CVE-2024-8493 can allow high privilege users to execute Stored Cross-Site Scripting attacks.
Is CVE-2024-8493 relevant to multisite WordPress installations?
Yes, CVE-2024-8493 is particularly relevant to multisite WordPress installations where unfiltered_html capability is disallowed.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/event
- vendor/the events calendar
- canonical/the events calendar