Description
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.
Published: 2026-01-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Update
AI Analysis

Impact

The EventPrime plugin for WordPress can expose sensitive booking data—including user names, email addresses, ticket details, payment information, and order keys—through its REST API. When the API is enabled by an administrator, any unauthenticated user can retrieve this information, compromising the confidentiality of event participants and transactions. The flaw represents a common information leakage weakness, classified as CWE-200.

Affected Systems

The vulnerability affects the EventPrime – Events Calendar, Bookings and Tickets plugin by metagauss, specifically all versions up to and including 4.2.7.0. It applies only when the REST API endpoint is enabled, a setting that can be configured by site administrators.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS of less than 1% suggests a low probability of exploitation at present. The issue is not listed in CISA’s KEV catalog. Attackers can gain unauthenticated access via the exposed REST API, potentially from any network location with internet reach to the site. The overall risk is moderate, primarily driven by the potential for widespread data exposure if the API remains enabled.

Generated by OpenCVE AI on April 21, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EventPrime plugin to version 4.2.7.0 or later to apply the available patch.
  • If the REST API is not required, disable the EventPrime REST API endpoint through the plugin settings or WordPress configuration to eliminate the exposure vector.
  • Monitor site logs for unauthorized REST API activity and consider implementing rate limiting or WAF rules to reduce the likelihood of successful exploitation.

Generated by OpenCVE AI on April 21, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.
Title EventPrime - Events Calendar, Bookings and Tickets <= 4.2.7.0 - Unauthenticated Sensitive Information Exposure via REST API
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Metagauss Eventprime
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:55.999Z

Reserved: 2025-12-11T00:38:29.878Z

Link: CVE-2025-14507

cve-icon Vulnrichment

Updated: 2026-01-13T14:11:23.785Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T14:16:37.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses