The Minimalistic Event Manager plugin for WordPress contains a missing authorization flaw that allows an attacker to bypass intended access controls. Because the plugin does not properly enforce privileges, users who should not have administrative or editing capabilities could access the event management interface or perform sensitive actions, potentially exposing personal data or modifying event records. This defect maps to CWE-862: Missing Authorization, which can lead to confidentiality, integrity, and availability compromises if exploited.

Manuel Schmalstieg's Minimalistic Event Manager plugin, versions up to 1.1.1 inclusive, deployed on WordPress sites.

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS figure of less than 1% suggests that exploitation attempts are currently rare, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the flaw can potentially be leveraged remotely by anyone who can reach the WordPress installation, especially if the plugin's admin pages are exposed. The lack of authorization checks means that even unauthenticated or low‑privileged users might gain elevated rights, depending on the site's configuration. The attack path is straightforward: the attacker accesses the vulnerable plugin endpoints and performs privileged actions that the plugin should restrict.