REPORT / 01
Analysis Report · Folder Analysis cache/wp-event-solution_4.0.51 → cache/wp-event-solution_4.0.52 — CVE-2025-14657
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2025-14657
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
templates/event/parts/faq.php
AI: 1 vulnerabilities
1 true positive
CVE-2025-14657
--- cache/wp-event-solution_4.0.51/templates/event/parts/faq.php 2026-01-09 00:38:10.016546968 +0000+++ cache/wp-event-solution_4.0.52/templates/event/parts/faq.php 2026-01-09 00:43:17.339303237 +0000@@ -19,9 +19,9 @@ ?> </h4> <p class="etn-acccordion-contents <?php echo esc_attr( $acc_class ); ?>">- <?php + <?php if ( has_blocks( $faq["etn_faq_content"] ) ) {- echo do_blocks( $faq["etn_faq_content"] );+ echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) ); } else { echo esc_html( $faq["etn_faq_content"] ); }
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
[Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - [CWE-79] - [templates/event/parts/faq.php] [Lines 23]
Old Code:
```php
echo do_blocks( $faq["etn_faq_content"] );
```
Fixed Code:
```php
echo wp_kses_post( do_blocks( $faq["etn_faq_content"] ) );
```
Explanation:
The original code directly echoes the output of `do_blocks()` without any sanitization. While `do_blocks()` processes WordPress block content, it does not sanitize the output for safe display in HTML context. This creates a Stored Cross-Site Scripting (XSS) vulnerability where malicious JavaScript or HTML could be injected through the FAQ content and executed in users' browsers. The fix wraps the output with `wp_kses_post()`, which sanitizes the content to allow only safe HTML tags and attributes while removing any potentially malicious scripts or event handlers. This is the proper WordPress way to safely output user-generated or dynamic content.
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
templates/event/parts/styles/event-banner/style-1.php
AI: No vulnerabilities
CVE-2025-14657
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/event-banner/style-1.php@@ -0,0 +1,10 @@+<div class="eventin-block-container+<?php echo esc_attr($container_class); ?>">+ <div class="event-banner">+ <?php if ($event_banner): ?>+ <img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">+ <?php else: ?>+ <p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>+ <?php endif; ?>+ </div>+</div>
AI Analysis
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - templates/event/parts/styles/event-banner/style-1.php - Lines 2, 5, 7
Old Code:
N/A (new file)
Fixed Code:
```php
<div class="eventin-block-container
<?php echo esc_attr($container_class); ?>">
<div class="event-banner">
<?php if ($event_banner): ?>
<img class="event-banner-image" src="<?php echo esc_url($event_banner) ?>" alt="event-banner">
<?php else: ?>
<p><?php esc_html_e('No event banner image found.', 'eventin'); ?></p>
<?php endif; ?>
</div>
</div>
```
Explanation:
This is a new file with no previous vulnerable code to fix. However, the code properly implements security best practices by using appropriate WordPress escaping functions:
- Line 2: `esc_attr()` is correctly used to escape HTML attributes in the class string
- Line 5: `esc_url()` is correctly used to escape the image URL to prevent XSS through the src attribute
- Line 7: `esc_html_e()` is correctly used to escape and localize the output text
No XSS vulnerabilities exist in this code as all user-controlled data and variables are properly escaped before output.
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
templates/event/parts/styles/venue/style-3.php
AI: No vulnerabilities
CVE-2025-14657
--- /dev/null+++ cache/wp-event-solution_4.0.52/templates/event/parts/styles/venue/style-3.php@@ -0,0 +1,115 @@+<div class="<?php echo esc_attr($container_class); ?>">+ <div class="eventin-block-container">+ <div class="etn-venue-info-wrapper style-3">+ <div class="etn-venue-info-content">+ <div class="etn-venue-info-content-inner">+ <h3 class="etn-venue-info-title"><?php echo esc_html__('Venue Info', 'eventin'); ?></h3>+ <div class="etn-venue-info-list">+ <?php if (! empty($event_location)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M7.65043 9.89632C9.02928 9.89632 10.1471 8.77855 10.1471 7.3997C10.1471 6.02085 9.02928 4.90308 7.65043 4.90308C6.27158 4.90308 5.15381 6.02085 5.15381 7.3997C5.15381 8.77855 6.27158 9.89632 7.65043 9.89632Z" stroke="#5D5DFF" stroke-width="1.5"/>+ <path d="M0.94523 5.9433C2.52162 -0.986432 12.7882 -0.97843 14.3566 5.9513C15.2768 10.0163 12.7482 13.4572 10.5316 15.5857C8.92322 17.1381 6.37859 17.1381 4.76218 15.5857C2.55363 13.4572 0.0249999 10.0083 0.94523 5.9433Z" stroke="#5D5DFF" stroke-width="1.5"/>+ </svg>+ </div>+ <div class="etn-venue-info-text"><?php echo esc_html($event_location); ?></div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_date) || ! empty($end_date)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="18" viewBox="0 0 16 18" fill="none">+ <path d="M4.6001 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.9985 0.599976V2.99998" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M0.998535 6.27197H14.5985" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M15.0001 5.79993V12.5999C15.0001 14.9999 13.8001 16.5999 11.0001 16.5999H4.6001C1.8001 16.5999 0.600098 14.9999 0.600098 12.5999V5.79993C0.600098 3.39993 1.8001 1.79993 4.6001 1.79993H11.0001C13.8001 1.79993 15.0001 3.39993 15.0001 5.79993Z" stroke="#5D5DFF" stroke-width="1.2" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 9.95994H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M10.7535 12.36H10.7607" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 9.95994H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M7.79648 12.36H7.80367" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 9.95994H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M4.83555 12.36H4.84273" stroke="#5D5DFF" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_date) && ! empty($end_date)) {+ echo esc_html($start_date) . ' - ' . esc_html($end_date);+ } elseif (! empty($start_date)) {+ echo esc_html($start_date);+ } elseif (! empty($end_date)) {+ echo esc_html($end_date);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>++ <?php if (! empty($start_time) || ! empty($end_time)): ?>+ <div class="etn-venue-info-item">+ <div class="etn-venue-info-icon">+ <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18" fill="none">+ <path d="M16.75 8.75C16.75 13.166 13.166 16.75 8.75 16.75C4.334 16.75 0.75 13.166 0.75 8.75C0.75 4.334 4.334 0.75 8.75 0.75C13.166 0.75 16.75 4.334 16.75 8.75Z" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ <path d="M11.7171 11.294L9.23712 9.81396C8.80512 9.55796 8.45312 8.94196 8.45312 8.43796V5.15796" stroke="#5D5DFF" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>+ </svg>+ </div>+ <div class="etn-venue-info-text">+ <?php+ if (! empty($start_time) && ! empty($end_time)) {+ echo esc_html($start_time) . ' - ' . esc_html($end_time);+ } elseif (! empty($start_time)) {+ echo esc_html($start_time);+ } elseif (! empty($end_time)) {+ echo esc_html($end_time);+ }+ ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>++ <div class="etn-venue-get-direction-container">+ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)): ?>+ <a href="https://www.google.com/maps?q=<?php echo esc_attr($venue_latitude); ?>,<?php echo esc_attr($venue_longitude); ?>" target="_blank" class="etn-venue-get-direction">+ <?php echo esc_html__('Get Direction', 'eventin'); ?>+ <svg xmlns="http://www.w3.org/2000/svg" width="16" height="13" viewBox="0 0 16 13" fill="none">+ <path d="M5.24537e-07 6.22791L15 6.22791" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 0.309936C10.4242 1.72373 12.0371 4.90304 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ <path d="M9.96338 12.3099C10.4242 10.8961 12.0371 7.71683 14.8021 6.30994" stroke="#5D5DFF" stroke-width="2"/>+ </svg>+ </a>+ <?php endif; ?>+ </div>+ </div>++ <?php if (! empty($venue_latitude) && ! empty($venue_longitude)):+ $google_api_key = function_exists('etn_get_option') ? etn_get_option('google_api_key') : '';+ $map_url = 'https://www.google.com/maps/embed/v1/place';+ if ($google_api_key) {+ $map_url .= '?key=' . esc_attr($google_api_key) . '&q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude);+ } else {+ // Fallback to static map or basic embed+ $map_url = 'https://www.google.com/maps?q=' . esc_attr($venue_latitude) . ',' . esc_attr($venue_longitude) . '&output=embed';+ }+ ?>+ <div class="etn-venue-map-container">+ <iframe+ class="etn-venue-map"+ src="<?php echo esc_url($map_url); ?>"+ allowfullscreen+ loading="lazy"+ referrerpolicy="no-referrer-when-downgrade">+ </iframe>+ </div> <?php else: ?>+ <div class="etn-venue-map-container">+ <div style="display: flex; align-items: center; justify-content: center; height: 100%; color: #999; font-size: 14px;">+ <?php echo esc_html__('Map location not available', 'eventin'); ?>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+</div>
AI Analysis
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no [Cross-Site Scripting (XSS)] - [CWE-79] - [templates/event/parts/styles/venue/style-3.php] [Lines 1-115] [Old Code] N/A (new file) [Fixed Code] The entire file uses proper output escaping functions throughout: - `esc_attr()` for HTML attributes (lines 1, 82, 87, 88, 103) - `esc_html()` for text content (lines 6, 22, 54, 57, 60, 63, 66, 106, 111) - `esc_url()` for URLs (line 102) - `esc_html__()` for translatable strings (lines 6, 83, 111) Explanation: This is a newly created template file that demonstrates secure coding practices. All dynamic user-controlled data is properly escaped before output: - Location, dates, and times use `esc_html()` for safe text rendering - Map coordinates and API key use `esc_attr()` when used in URL parameters - The Google Maps embed URL uses `esc_url()` for safe href/src attributes - All translatable strings use appropriate `esc_html__()` functions There are no instances of unescaped output of variables, concatenated user data, or unsafe HTML injection. The code follows WordPress security best practices and the OWASP principle of output encoding.
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
templates/event/purchase-form/recurring-event-ticket.php
AI: 2 vulnerabilities
1 false positive, 1 true positive
CVE-2025-14657
--- cache/wp-event-solution_4.0.51/templates/event/purchase-form/recurring-event-ticket.php 2026-01-09 00:38:10.020547212 +0000+++ cache/wp-event-solution_4.0.52/templates/event/purchase-form/recurring-event-ticket.php 2026-01-09 00:43:17.459310578 +0000@@ -1,83 +1,83 @@ <?php-use Etn\Utils\Helper;+ use Etn\Utils\Helper; -$etn_left_tickets = !empty( $data['etn_left_tickets'] ) ? $data['etn_left_tickets'] : 0;-$etn_ticket_unlimited = ( isset( $data['etn_ticket_unlimited'] ) && $data['etn_ticket_unlimited'] == "no" ) ? true : false;-$etn_ticket_price = isset( $data['etn_ticket_price'] ) ? $data['etn_ticket_price'] : '';-$ticket_qty = get_post_meta( $single_event_id, "etn_sold_tickets", true );-$total_sold_ticket = isset( $ticket_qty ) ? intval( $ticket_qty ) : 0;-$is_zoom_event = get_post_meta( $single_event_id, 'etn_zoom_event', true );-$event_options = !empty( $data['event_options'] ) ? $data['event_options'] : [];-$event_title = get_the_title( $single_event_id );-$separate = (!empty($data['event_end_date'])) ? ' - ' : '';-$settings = Helper::get_settings();-$attendee_reg_enable = !empty( $settings["attendee_registration"] ) ? true : false;-$active_class = ($i===0) ? 'active' : '';-$active_item = ($i===0) ? 'style=display:block' : '';-$etn_min_ticket = !empty(get_post_meta( $single_event_id, 'etn_min_ticket', true )) ? get_post_meta( $single_event_id, 'etn_min_ticket', true ) : 1;-$etn_max_ticket = !empty(get_post_meta( $single_event_id, 'etn_max_ticket', true )) ? get_post_meta( $single_event_id, 'etn_max_ticket', true ) : $etn_left_tickets;-$etn_max_ticket = min($etn_left_tickets, $etn_max_ticket);-$disable_purchase_form = get_post_meta( $single_event_id, 'etn_disable_purchase_form', true );+ $etn_left_tickets = ! empty($data['etn_left_tickets']) ? $data['etn_left_tickets'] : 0;+ $etn_ticket_unlimited = (isset($data['etn_ticket_unlimited']) && $data['etn_ticket_unlimited'] == "no") ? true : false;+ $etn_ticket_price = isset($data['etn_ticket_price']) ? $data['etn_ticket_price'] : '';+ $ticket_qty = get_post_meta($single_event_id, "etn_sold_tickets", true);+ $total_sold_ticket = isset($ticket_qty) ? intval($ticket_qty) : 0;+ $is_zoom_event = get_post_meta($single_event_id, 'etn_zoom_event', true);+ $event_options = ! empty($data['event_options']) ? $data['event_options'] : [];+ $event_title = get_the_title($single_event_id);+ $separate = (! empty($data['event_end_date'])) ? ' - ' : '';+ $settings = Helper::get_settings();+ $attendee_reg_enable = ! empty($settings["attendee_registration"]) ? true : false;+ $active_class = ($i === 0) ? 'active' : '';+ $active_item = ($i === 0) ? 'style=display:block' : '';+ $etn_min_ticket = ! empty(get_post_meta($single_event_id, 'etn_min_ticket', true)) ? get_post_meta($single_event_id, 'etn_min_ticket', true) : 1;+ $etn_max_ticket = ! empty(get_post_meta($single_event_id, 'etn_max_ticket', true)) ? get_post_meta($single_event_id, 'etn_max_ticket', true) : $etn_left_tickets;+ $etn_max_ticket = min($etn_left_tickets, $etn_max_ticket);+ $disable_purchase_form = get_post_meta($single_event_id, 'etn_disable_purchase_form', true); ?> -<div class="etn-widget etn-recurring-widget <?php echo esc_attr($active_class); ?>">+<div class="etn-widget etn-recurring-widget <?php echo esc_attr($active_class); ?>"> <div class="etn-row"> <div class="etn-col-lg-3"> <div class="etn-left-datemeta"> <div class="etn-date-meta">- <?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ; ?>+ <?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_start_date'])))); ?> <?php echo esc_attr($separate); ?>- <?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ; ?>+ <?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_end_date'])))); ?> <span>- <?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )); ?>+ <?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ); ?> <?php echo esc_attr($separate); ?>- <?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )); ?>+ <?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ); ?> </span> </div> <?php- // show if this is a zoom event- if ( isset( $is_zoom_event ) && ("on" == $is_zoom_event || "yes" == $is_zoom_event ) ) {- ?>+ // show if this is a zoom event+ if (isset($is_zoom_event) && ("on" == $is_zoom_event || "yes" == $is_zoom_event)) {+ ?> <div class="etn-zoom-event-notice"> <img src="<?php echo esc_url(\Wpeventin::assets_url() . "images/zoom.svg"); ?>" alt="<?php echo esc_attr__('Zoom', 'eventin') ?>">- <?php echo esc_html__( "Zoom Event", "eventin" ); ?>+ <?php echo esc_html__("Zoom Event", "eventin"); ?> </div> <?php- }- ?>+ }+ ?> </div> </div> <div class="etn-col-lg-9">- <div class="recurring-content <?php echo esc_attr($active_class);?>">+ <div class="recurring-content <?php echo esc_attr($active_class); ?>"> <div class="etn-recurring-header"> <div class="etn-title-wrap"> <div class="etn-time-meta"> <?php- if ( !isset($event_options["etn_hide_time_from_details"]) ) {- $separate = (!empty($data['event_end_time'])) ? ' - ' : '';- ?>+ if (! isset($event_options["etn_hide_time_from_details"])) {+ $separate = (! empty($data['event_end_time'])) ? ' - ' : '';+ ?> <div> <i class="etn-icon etn-clock"></i> <?php echo esc_html($data['event_start_time'] . $separate . $data['event_end_time']); ?> <span class="etn-event-timezone"> <?php- if ( !empty( $data['event_timezone'] ) && !isset($event_options["etn_hide_timezone_from_details"]) ) {- ?>- (<?php echo esc_html( $data['event_timezone'] ); ?>)+ if (! empty($data['event_timezone']) && ! isset($event_options["etn_hide_timezone_from_details"])) {+ ?>+ (<?php echo esc_html($data['event_timezone']); ?>) <?php- }- ?>+ }+ ?> </span> </div> <?php- }- ?>+ }+ ?> </div> <h4 class="etn-title etn-post-title etn-accordion-heading">- <a href="<?php echo esc_url( get_permalink( $single_event_id ) ); ?>">- <?php echo esc_html( $event_title ); ?>+ <a href="<?php echo esc_url(get_permalink($single_event_id)); ?>">+ <?php echo esc_html($event_title); ?> </a> </h4> <p>@@ -89,29 +89,29 @@ </div> <i class="etn-icon etn-angle-down"></i> </div>- <div class="etn-form-wrap" <?php echo esc_attr($active_item ); ?>>+ <div class="etn-form-wrap" <?php echo esc_attr($active_item); ?>> <?php- if( $etn_left_tickets > 0 && $disable_purchase_form != 'yes' ) { ?>+ if ($etn_left_tickets > 0 && $disable_purchase_form != 'yes') {?> <form method="post" class="etn-event-form-parent">- <?php wp_nonce_field('ticket_purchase_next_step_two','ticket_purchase_next_step_two'); ?>+ <?php wp_nonce_field('ticket_purchase_next_step_two', 'ticket_purchase_next_step_two'); ?> <?php- if( $attendee_reg_enable ){- ?>+ if ($attendee_reg_enable) {+ ?> <input name="ticket_purchase_next_step" type="hidden" value="two" /> <input name="event_id" type="hidden" value="<?php echo intval($single_event_id); ?>" /> <input name="event_name" type="hidden" value="<?php echo esc_html($event_title); ?>" /> <?php- }else{- ?>+ } else {+ ?> <input name="add-to-cart" type="hidden" value="<?php echo intval($single_event_id); ?>" /> <input name="event_name" type="hidden" value="<?php echo esc_html($event_title); ?>" /> <?php- }- ?>+ }+ ?> <div class="etn-item-row"> <div class="etn-price-field"> <label for="etn_product_price">- <?php echo isset($event_options["etn_price_label"]) && ( "" != $event_options["etn_price_label"]) ? esc_html($event_options["etn_price_label"]) : esc_html__('Price', "eventin"); ?>+ <?php echo isset($event_options["etn_price_label"]) && ("" != $event_options["etn_price_label"]) ? esc_html($event_options["etn_price_label"]) : esc_html__('Price', "eventin"); ?> </label> <input id="etn_product_price" class="attr-form-control etn-event-form-price etn_product_price" readonly name="price" type="text" value="<?php echo esc_attr($etn_ticket_price); ?>" min="1" /> </div>@@ -120,7 +120,7 @@ <?php echo esc_html__('Quantity', "eventin"); ?> </label> <div class="etn-quantity">- <input id="etn_product_qty" class="attr-form-control etn-event-form-qty etn_product_qty" name="quantity" type="number" value="<?php echo esc_attr( $etn_min_ticket ); ?>" min="<?php echo esc_attr( $etn_min_ticket ); ?>" max="<?php echo esc_attr( $etn_max_ticket ); ?>" data-etn_min_ticket='<?php echo esc_attr( $etn_min_ticket ); ?>' data-etn_max_ticket='<?php echo esc_attr( $etn_max_ticket ); ?>' data-left_ticket="<?php echo esc_html($etn_left_tickets); ?>" data-invalid_qty_text="<?php echo esc_html__("Invalid Qty", "eventin");?>" />+ <input id="etn_product_qty" class="attr-form-control etn-event-form-qty etn_product_qty" name="quantity" type="number" value="<?php echo esc_attr($etn_min_ticket); ?>" min="<?php echo esc_attr($etn_min_ticket); ?>" max="<?php echo esc_attr($etn_max_ticket); ?>" data-etn_min_ticket='<?php echo esc_attr($etn_min_ticket); ?>' data-etn_max_ticket='<?php echo esc_attr($etn_max_ticket); ?>' data-left_ticket="<?php echo esc_html($etn_left_tickets); ?>" data-invalid_qty_text="<?php echo esc_html__("Invalid Qty", "eventin"); ?>" /> </div> </div> @@ -130,75 +130,76 @@ </label> <div class="etn-t-price"> <?php- if(function_exists("get_woocommerce_currency_symbol")){- echo esc_html(get_woocommerce_currency_symbol());- }- ?>+ if (function_exists("get_woocommerce_currency_symbol")) {+ echo esc_html(get_woocommerce_currency_symbol());+ }+ ?> <span id="etn_form_price" class="etn_form_price"> <?php echo esc_html($etn_ticket_price); ?> </span> </div> </div> <div class="etn-add-to-cart-btn">- <?php do_action( 'etn_before_add_to_cart_button'); ?>+ <?php do_action('etn_before_add_to_cart_button'); ?> <?php- $show_form_button = apply_filters("etn_form_submit_visibility", true, $single_event_id);+ $show_form_button = apply_filters("etn_form_submit_visibility", true, $single_event_id); - if ($show_form_button === false) {- ?>+ if ($show_form_button === false) {+ ?> <small><?php echo esc_html__('Event already expired!', "eventin"); ?></small> <?php- } else {- if (!isset($event_options["etn_purchase_login_required"]) || (isset($event_options["etn_purchase_login_required"]) && is_user_logged_in())) {- ?>- <input name="submit" class="etn-btn etn-primary etn-add-to-cart-block" type="submit" value="<?php $cart_button_text = apply_filters( 'etn_event_cart_button_text', esc_html__("Add to cart", "eventin") ); echo esc_html( $cart_button_text ); ?>" />+ } else {+ if (! isset($event_options["etn_purchase_login_required"]) || (isset($event_options["etn_purchase_login_required"]) && is_user_logged_in())) {+ ?>+ <input name="submit" class="etn-btn etn-primary etn-add-to-cart-block" type="submit" value="<?php $cart_button_text = apply_filters('etn_event_cart_button_text', esc_html__("Add to cart", "eventin"));+ echo esc_html($cart_button_text); ?>" /> <?php- } else {- ?>+ } else {+ ?> <small>- <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo wp_login_url( get_permalink( ) ); ?>"><?php echo esc_html__( "Login", "eventin" ); ?></a> <?php echo esc_html__(' to buy ticket!', "eventin"); ?>+ <?php echo esc_html__('Please', 'eventin'); ?> <a href="<?php echo esc_url(wp_login_url(get_permalink())); ?>"><?php echo esc_html__("Login", "eventin"); ?></a><?php echo esc_html__(' to buy ticket!', "eventin"); ?> </small> <?php- }- }- ?>- <?php do_action( 'etn_after_add_to_cart_button'); ?>+ }+ }+ ?>+ <?php do_action('etn_after_add_to_cart_button'); ?> </div> </div> </form> <!-- tikcet holder --> <div class="etn-single-page-ticket-count-text-holder"> <?php- if ( !isset($event_options["etn_hide_seats_from_details"]) ) {- ?>+ if (! isset($event_options["etn_hide_seats_from_details"])) {+ ?> <div class="etn-form-ticket-text"> <?php- if( $etn_ticket_unlimited ){- echo esc_html__( "This event offers unlimited tickets", "eventin" );- }else {- echo esc_html($etn_left_tickets) . esc_html__(' seats remaining', "eventin");- }- ?>+ if ($etn_ticket_unlimited) {+ echo esc_html__("This event offers unlimited tickets", "eventin");+ } else {+ echo esc_html($etn_left_tickets) . esc_html__(' seats remaining', "eventin");+ }+ ?> </div> <?php- } - if( !isset($event_options["etn_hide_attendee_count_from_details"]) ){- ?>+ }+ if (! isset($event_options["etn_hide_attendee_count_from_details"])) {+ ?> <div class="etn-form-ticket-text">- <?php echo esc_html( $total_sold_ticket ) . esc_html__(" attendees so far.", "eventin"); ?>+ <?php echo esc_html($total_sold_ticket) . esc_html__(" attendees so far.", "eventin"); ?> </div> <?php- }- ?>+ }+ ?> </div> <?php- } else {- ?>- <h6><?php echo esc_html__( 'No Tickets Available!!', "eventin" ); ?></h6>+ } else {+ ?>+ <h6><?php echo esc_html__('No Tickets Available!!', "eventin"); ?></h6> <?php- }- ?>+ }+ ?> </div> </div> </div>
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/purchase-form/recurring-event-ticket.php - Lines 26-28, 30-32
Old Code:
```php
<?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ; ?>
<?php echo date_i18n('d M', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ; ?>
<?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )); ?>
<?php echo date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )); ?>
```
Fixed Code:
```php
<?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_start_date'])))); ?>
<?php echo esc_html(date_i18n('d M', strtotime(str_replace('/', '-', $data['event_end_date'])))); ?>
<?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_start_date'] ) )) ); ?>
<?php echo esc_html( date_i18n('j', strtotime( str_replace('/', '-', $data['event_end_date'] ) )) ); ?>
```
Explanation:
The original code directly echoed the output of `date_i18n()` without proper escaping. Although `date_i18n()` is unlikely to produce XSS payloads itself, the data passed through `$data['event_start_date']` and `$data['event_end_date']` are user-controlled values that could potentially be manipulated. The fix wraps the output with `esc_html()` to ensure any HTML special characters are properly escaped before display, preventing XSS attacks.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - templates/event/purchase-form/recurring-event-ticket.php - Line 155
Old Code:
```php
<?php echo wp_login_url( get_permalink( ) ); ?>
```
Fixed Code:
```php
<?php echo esc_url(wp_login_url(get_permalink())); ?>
```
Explanation:
The original code echoed the URL output of `wp_login_url()` without proper escaping. While `wp_login_url()` is a trusted WordPress function, the proper security practice is to escape URLs when outputting them to HTML attributes using `esc_url()`. This prevents potential XSS vulnerabilities if the URL is ever manipulated or contains malicious characters. The fix properly escapes the URL before output.
---
Vulnerability Existed: not sure
Improper Escaping - CWE-116 - templates/event/purchase-form/recurring-event-ticket.php - Lines 25, 51
Old Code:
```php
<?php echo esc_attr($separate); ?>
```
Fixed Code:
```php
<?php echo esc_attr($separate); ?>
```
Explanation:
The variable `$separate` is set to either `' - '` (a hardcoded string) or an empty string at lines 12 and 56. Since this is a hardcoded literal value with no user input, using `esc_attr()` is technically correct but potentially over-cautious. However, this is not a vulnerability—it's a defensive coding practice. The escaping function choice is appropriate.
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
templates/template-parts/attendee/ticket-markup-block.php
AI: 1 vulnerabilities
1 true positive
CVE-2025-14657
--- cache/wp-event-solution_4.0.51/templates/template-parts/attendee/ticket-markup-block.php 2026-01-09 00:38:10.056549403 +0000+++ cache/wp-event-solution_4.0.52/templates/template-parts/attendee/ticket-markup-block.php 2026-01-09 00:43:17.839333824 +0000@@ -68,13 +68,13 @@ <div class="etn-ticket-wrapper"> <div class="etn-ticket-main-wrapper"> <div class="etn-ticket">- <?php + <?php if ( $post && $post->post_status === 'draft' ) { ?> <p><?php esc_html_e( 'The template is not published', 'eventin' ); ?></p> <?php } else {- echo $template_html;+ echo wp_kses_post( $template_html ); } ?> </div>
AI Analysis
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - templates/template-parts/attendee/ticket-markup-block.php - Line 77 Old Code: ```php echo $template_html; ``` Fixed Code: ```php echo wp_kses_post( $template_html ); ``` Explanation: The original code directly echoed `$template_html` without any sanitization or escaping. This creates a Cross-Site Scripting (XSS) vulnerability where malicious scripts could be injected and executed in the browser if `$template_html` contains user-controlled or untrusted content. The fix applies WordPress's `wp_kses_post()` function, which safely sanitizes HTML content by removing dangerous tags and attributes while preserving safe HTML markup. This is the appropriate sanitization function for post content in WordPress and prevents XSS attacks by ensuring only safe HTML is rendered.
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
widgets/events/style/event-2.php
AI: 1 vulnerabilities
1 true positive
CVE-2025-14657
--- cache/wp-event-solution_4.0.51/widgets/events/style/event-2.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/style/event-2.php 2026-01-09 00:43:18.839395000 +0000@@ -3,6 +3,11 @@ use \Etn\Utils\Helper as Helper; +// Ensure variables are defined with defaults+$posts_to_show = isset($posts_to_show) ? $posts_to_show : -1;+$paged = isset($etn_paged) ? $etn_paged : 1;+$enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no';+ $data = Helper::post_data_query('etn', $posts_to_show, $order, $event_cat, 'etn_category', null, null, $event_tag, $orderby_meta, $orderby, $filter_with_status, $post_parent, '', $paged); ?>@@ -37,16 +42,16 @@ <!-- thumbnail --> <div class="etn-event-thumb"> <?php if ( $banner_image_url ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <img src="<?php echo esc_url($banner_image_url); ?>" alt="Image"> </a> <?php elseif ( get_the_post_thumbnail_url($value->ID) ): ?>- <a - href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" - aria-label="<?php echo get_the_title(); ?>"+ <a+ href="<?php echo esc_url(get_the_permalink($value->ID)); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail($value->ID, 'large'); ?> </a>@@ -115,7 +120,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($value->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($value->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($value->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etn-arrow-right"></i></a> <?php } ?>@@ -126,7 +131,7 @@ if( isset( $show_remaining_tickets ) && $show_remaining_tickets =='yes'): ?> <div class="etn-mt-1 etn-remaining-tickets">- <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo etn_humanize_number($total_tickets); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small>+ <small class="<?php echo $total_tickets > 5 ? 'etn-ticket-count-lot' : 'etn-ticket-count-few' ;?>"><?php echo esc_html(etn_humanize_number($total_tickets)); ?> ticket<?php echo $total_tickets > 1 ? "s" : ""; ?> remaining</small> </div> <?php endif; ?>
AI Analysis
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/event-2.php Lines 47, 52, 123, 134 Old Code: Line 47: aria-label="<?php echo get_the_title(); ?>" Line 52: aria-label="<?php echo get_the_title(); ?>" Line 123: title="<?php echo get_the_title($value->ID); ?>" Line 134: <?php echo etn_humanize_number($total_tickets); ?> Fixed Code: Line 47: aria-label="<?php echo esc_attr(get_the_title()); ?>" Line 52: aria-label="<?php echo esc_attr(get_the_title()); ?>" Line 123: title="<?php echo esc_attr(get_the_title($value->ID)); ?>" Line 134: <?php echo esc_html(etn_humanize_number($total_tickets)); ?> Explanation: The original code used unescaped output of `get_the_title()` and `etn_humanize_number()` in HTML attribute and content contexts. This is a classic reflected XSS vulnerability where malicious characters in post titles or ticket numbers could break out of the HTML attribute/element and execute arbitrary JavaScript. The fix applies appropriate escaping functions: `esc_attr()` for HTML attributes (lines 47, 52, 123) and `esc_html()` for HTML content (line 134), preventing XSS attacks. ``` ``` Vulnerability Existed: not sure Variable Initialization/Undefined Variable - CWE-456 - widgets/events/style/event-2.php Lines 6-8 Old Code: [Variables $posts_to_show, $paged, $enable_pagination used without explicit initialization] Fixed Code: $posts_to_show = isset($posts_to_show) ? $posts_to_show : -1; $paged = isset($etn_paged) ? $etn_paged : 1; $enable_pagination = isset($enable_pagination) ? $enable_pagination : 'no'; Explanation: The added code initializes variables with default values before use. However, the vulnerability classification is uncertain because: (1) These variables may be set elsewhere in the include chain before this file is processed, (2) PHP doesn't prevent undefined variable access in template files, but this could cause notices/warnings, (3) The fix is defensive and improves robustness, but without seeing the complete call context, it's unclear if undefined variables were actually occurring. The fix represents good defensive programming practice to prevent undefined variable warnings/errors. ```
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
widgets/events/style/parts/child-event.php
AI: 2 vulnerabilities
1 false positive, 1 true positive
CVE-2025-14657
--- cache/wp-event-solution_4.0.51/widgets/events/style/parts/child-event.php 2026-01-09 00:38:10.124553542 +0000+++ cache/wp-event-solution_4.0.52/widgets/events/style/parts/child-event.php 2026-01-09 00:43:18.843395245 +0000@@ -13,9 +13,9 @@ <!-- thumbnail --> <?php if ( get_the_post_thumbnail_url( $item->ID ) ) : ?> <div class="etn-event-thumb">- <a + <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>"- aria-label="<?php echo get_the_title(); ?>"+ aria-label="<?php echo esc_attr(get_the_title()); ?>" > <?php echo get_the_post_thumbnail( $item->ID, 'large' ); ?> </a>@@ -51,7 +51,7 @@ <?php } else { ?>- <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo get_the_title($item->ID); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etm-arrow-right"></i></a>+ <a href="<?php echo esc_url(get_the_permalink($item->ID)); ?>" class="etn-btn etn-btn-border" title="<?php echo esc_attr(get_the_title($item->ID)); ?>"><?php echo esc_html__('Attend', 'eventin') ?> <i class="etn-icon etm-arrow-right"></i></a> <?php } ?>
AI Analysis
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/parts/child-event.php [Line 18] aria-label="<?php echo get_the_title(); ?>" aria-label="<?php echo esc_attr(get_the_title()); ?>" Explanation: The original code output get_the_title() directly into an HTML attribute without escaping. The esc_attr() function escapes data for safe use in HTML attributes, preventing XSS attacks where malicious JavaScript could be injected through the title attribute. An event title containing quotes or other special characters could break out of the attribute context and inject malicious code. --- Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - widgets/events/style/parts/child-event.php [Line 54] title="<?php echo get_the_title($item->ID); ?>" title="<?php echo esc_attr(get_the_title($item->ID)); ?>" Explanation: Similar to the first vulnerability, the title attribute was not properly escaped for HTML context. Using esc_attr() ensures that any special characters in the title are properly encoded, preventing attribute-based XSS attacks. Without escaping, an event title with malicious content could execute arbitrary JavaScript. ```
CVE Analysis Results:
CVE-2025-14657: Yes
View CVE Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Showing 21 to 27 of 27 results