Description
Missing Authorization vulnerability in Metagauss Event Kikfyre kikfyre-events-calendar-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Kikfyre: from n/a through <= 2.1.8.
Published: 2025-02-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a missing authorization check in the Metagauss Event Kikfyre plugin, allowing attackers to bypass configured access control levels. This can be exploited to view, modify, or delete event data and ticket information that should be restricted to privileged users. The weakness is classified as CWE‑862, indicating improper access control.

Affected Systems

Users running the WordPress Event Kikfyre plugin version 2.1.8 or earlier are affected. The issue occurs in any installation where the plugin is present, regardless of site configuration, and applies to all user roles that have not been manually restricted by site administrators.

Risk and Exploitability

The CVSS base score of 5.4 scores the vulnerability as moderate. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely target a publicly accessible WordPress site, attempting to craft a request that leverages the missing authorization check to elevate privileges or access protected plugin resources. No specific exploitation method was detailed in the advisories, but the absence of an authorization gate suggests that exploitation can occur by directly accessing URLs or endpoints that the plugin exposes.

Generated by OpenCVE AI on May 2, 2026 at 04:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Event Kikfyre plugin to a version newer than 2.1.8.
  • If an upgrade cannot be performed immediately, deactivate the plugin or restrict its directories to prevent direct execution of its files.
  • Review and enforce proper WordPress user role permissions, ensuring only authorized roles can access the plugin’s management interface.

Generated by OpenCVE AI on May 2, 2026 at 04:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4038 Missing Authorization vulnerability in Metagauss Event Kikfyre allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Kikfyre: from n/a through 2.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Metagauss Event Kikfyre allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Kikfyre: from n/a through 2.1.8. Missing Authorization vulnerability in Metagauss Event Kikfyre kikfyre-events-calendar-tickets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Kikfyre: from n/a through <= 2.1.8.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Metagauss Event Kikfyre allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Kikfyre: from n/a through 2.1.8.
Title WordPress Event Kikfyre plugin <= 2.1.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.629Z

Reserved: 2025-02-03T13:34:38.766Z

Link: CVE-2025-25110

cve-icon Vulnrichment

Updated: 2025-02-07T14:57:13.932Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:16.747

Modified: 2026-04-23T15:25:37.510

Link: CVE-2025-25110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:00:12Z

Weaknesses