WPGancio Plugin Vulnerability

MEDIUM (6.4) No Patch (2 days)

Threat Intelligence

Low Risk

EPSS Score: 0.03% chance of exploitation (percentile: 7%)

🔍 Detection Tools: None available in major open-source tools

⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The WPGancio plugin is a WordPress extension used to manage events and webinars. It's a popular add-on among event organizers and marketers. However, due to insufficient input sanitization and output escaping in its 'gancio-event' shortcode, attackers can inject arbitrary web scripts that will execute on pages accessed by users with contributor-level access or above.

Am I affected?

You're affected if you use WPGancio. Specific version info not stated in the advisory.

Affected Products

WordPress.org / WPGancio

How to fix

To fix this vulnerability, upgrade to WPGancio version 1.13 or later from the WordPress Plugin Directory (https://wordpress.org/plugins/wpgancio/).

Immediate mitigations:

Restrict network access to your WordPress installation (firewall it from the public internet)
Audit contributor-level accounts for suspicious activity
Monitor for unauthorized plugin activation