Description
Missing Authorization vulnerability in ashanjay EventON eventon allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 4.9.8.
Published: 2025-05-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the EventON plugin stems from missing authorization logic, allowing requests that should be restricted by access control lists to be executed. Attackers can invoke privileged functions—such as creating, editing, or deleting events—without the proper permissions, thereby gaining unauthorized control over event data and exposure. The weakness is a classic access‑control flaw, identified as CWE‑862, which undermines the confidentiality and integrity of the event management system.

Affected Systems

Products affected are the WordPress EventON plugin by ashanjay, with all releases through version 4.9.8 vulnerable. Any installation running these versions is susceptible if the plugin is active.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, further reducing its current risk prominence. The likely attack vector is sending crafted requests to unsecured plugin endpoints that lack proper permission checks. Attackers would need either to be authenticated users with limited privileges or possibly unauthenticated users able to target the exposed functionality, depending on the configuration of the WordPress instance.

Generated by OpenCVE AI on April 30, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EventON plugin to version 4.9.9 or later, which fixes the missing authorization check.
  • If upgrading is not immediately possible, disable or remove the EventON plugin from the WordPress installation to eliminate the exposed endpoints.
  • Implement host‑level or web application firewall rules blocking suspicious requests to the plugin’s admin or AJAX endpoints to reduce the attack surface until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15506 Missing Authorization vulnerability in ashanjay EventON allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects EventON: from n/a through 4.9.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ashanjay EventON allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects EventON: from n/a through 4.9.9. Missing Authorization vulnerability in ashanjay EventON eventon allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects EventON: from n/a through <= 4.9.8.
Title WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability WordPress EventON plugin <= 4.9.8 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ashanjay EventON allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects EventON: from n/a through 4.9.9.
Title WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.990Z

Reserved: 2025-05-07T09:40:07.681Z

Link: CVE-2025-47564

cve-icon Vulnrichment

Updated: 2025-05-16T16:22:23.216Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:42.693

Modified: 2026-04-23T15:30:29.770

Link: CVE-2025-47564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses