Description
Missing Authorization vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through <= 6.6.4.1.
Published: 2025-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to perform operations on the Events Manager data without proper authentication. The flaw stems from incorrectly configured access control security levels, enabling unauthorized users to potentially view, edit, or delete event information. The weakness corresponds to CWE‑862, signifying that resource ownership and authorization checks are not enforced.

Affected Systems

The issue affects the Events Manager WordPress plugin developed by Marcus (aka @msykes). All releases described as <= 6.6.4.1 are vulnerable; no specific revision range is given beyond the maximum version 6.6.4.1.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the moderate risk range, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the web interface of a WordPress site, where an unauthenticated or low‑privileged user could send requests to endpoints protected by this plugin to gain unauthorized access to event data. The lack of authentication checks means that any user interacting with the plugin’s endpoints could potentially manipulate event records.

Generated by OpenCVE AI on May 1, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Events Manager plugin to the latest available version that patches the missing authorization flaw.
  • Verify the plugin’s role‑based access settings to ensure that only privileged users can manage events.
  • If an updated plugin version is not immediately available, consider disabling or uninstalling the plugin until a fix is released.

Generated by OpenCVE AI on May 1, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5342 Missing Authorization vulnerability in Pixelite Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through 6.6.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pixelite Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through 6.6.4.1. Missing Authorization vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through <= 6.6.4.1.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Feb 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pixelite Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through 6.6.4.1.
Title WordPress Events Manager plugin <= 6.6.4.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Pixelite Events Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.455Z

Reserved: 2025-02-12T13:59:44.376Z

Link: CVE-2025-1249

cve-icon Vulnrichment

Updated: 2025-02-26T14:45:25.251Z

cve-icon NVD

Status : Deferred

Published: 2025-02-26T15:15:24.470

Modified: 2026-04-23T15:22:54.650

Link: CVE-2025-1249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses