Description
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.
Published: 2026-01-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized event approval
Action: Apply Fix
AI Analysis

Impact

The Community Events WordPress plugin lacks a capability check in its ajax_admin_event_approval() function, which allows an unauthenticated attacker to approve any event by supplying an arbitrary eventlist parameter. The flaw permits manipulation of event statuses and could be used to publish or promote events without proper authorization. The weakness corresponds to CWE‑862 "Missing Authorization."

Affected Systems

All installations of the Community Events plugin released by jackdewey, version 1.5.6 and earlier, are affected. WordPress sites running any of these versions without upgrading to a newer release are exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1 % signals a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw via an unauthenticated HTTP request to the plugin’s AJAX endpoint, passing a crafted eventlist parameter. Because no authentication or authorization checks exist, the attack can be carried out without credentials, making it a straightforward remote compromise of event data.

Generated by OpenCVE AI on April 22, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Community Events plugin to a version newer than 1.5.6 that includes the missing capability check
  • If upgrading is not immediately feasible, disable the Community Events plugin entirely to prevent the vulnerable functionality from being invoked
  • As a temporary measure, apply server‑side restrictions such as firewall rules or .htaccess directives to deny unauthenticated access to the /wp-admin/admin-ajax.php endpoint for the Community Events plugin

Generated by OpenCVE AI on April 22, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress
Vendors & Products Jackdewey
Jackdewey community Events
Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.
Title Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Jackdewey Community Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:30.673Z

Reserved: 2025-12-04T14:29:13.860Z

Link: CVE-2025-14029

cve-icon Vulnrichment

Updated: 2026-01-20T18:31:01.870Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T05:16:10.370

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses