MEDIUM
ruchit47
CVE published 2026-05-27
CVE-2026-8898
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'org-events' shortcode in versions up to and including 3.0. The vulnerability exists in the org_event_scode() function, where user-supplied attributes—including 'organizer_id', 'width', 'height', 'transparency', 'header', 'border', and 'layout'—are concatenated directly into HTML attributes without proper sa [truncated]