Description
Missing Authorization vulnerability in WP Event Manager WP Event Manager wp-event-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Event Manager: from n/a through <= 3.2.0.
Published: 2025-04-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in WP Event Manager that allows an attacker to gain unauthorized access to event data and administrative functionality. Because the plugin’s access control is incorrectly configured, a user that may not have proper permissions can exploit this flaw to view or modify events, potentially leaking or tampering with sensitive information. The weakness aligns with CWE‑862, which denotes broken access control.

Affected Systems

All releases of the WP Event Manager plugin through version 3.2.0 are affected, including earlier builds that do not specify a specific version. The product is distributed under the vendor name WP Event Manager and is typically installed on WordPress sites as a plugin component.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not catalogued in CISA’s KEV catalog, further indicating lower current exploitation risk. However, because the flaw can be triggered remotely through the website’s public interfaces, administrators should treat the failure to enforce proper authorization as a significant risk and upgrade promptly.

Generated by OpenCVE AI on May 1, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Event Manager to the latest version (currently later than 3.2.0) from the official WordPress plugin repository.
  • If an upgrade cannot be performed immediately, restrict the plugin’s capability settings by limiting which user roles can create or edit events, or disable the plugin until the fix is applied.
  • Enable logging and monitoring for event creation and modification actions, and review logs for unauthorized access attempts.

Generated by OpenCVE AI on May 1, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9814 Missing Authorization vulnerability in WP Event Manager WP Event Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Event Manager: from n/a through 3.1.47.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Event Manager WP Event Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Event Manager: from n/a through 3.1.47. Missing Authorization vulnerability in WP Event Manager WP Event Manager wp-event-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Event Manager: from n/a through <= 3.2.0.
Title WordPress WP Event Manager plugin <= 3.1.47 - Broken Access Control vulnerability WordPress WP Event Manager plugin <= 3.2.0 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Event Manager WP Event Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Event Manager: from n/a through 3.1.47.
Title WordPress WP Event Manager plugin <= 3.1.47 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.424Z

Reserved: 2025-04-04T10:01:50.054Z

Link: CVE-2025-32225

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:43.455Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:31.703

Modified: 2026-04-23T15:28:47.367

Link: CVE-2025-32225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses