cleantalk
Vulnerabilities and Security Researches

Events Listing Widget, CVE-2026-1252

CVE, Research URL

CVE-2026-1252

Home page URL

Security reports for Events Listing Widget

Application

Events Listing Widget

Published on
Feb 06, 2026
Research Description
The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Event URL' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.3.5.
Status
vulnerable
Previous vulnerability researches
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2025-13750) , Jan 28, 2026
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2019-15834) , Jun 06, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2021-25074) , Jun 10, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2026-1356) , Apr 14, 2026
New vulnerability
Head Meta Data (CVE-2026-0608) , Apr 15, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-0554) , Apr 15, 2026
Download Manager (CVE-2026-1666) , Apr 15, 2026
Post Duplicator (CVE-2026-2301) , Apr 15, 2026
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2026-1722) , Apr 15, 2026