This vulnerability is a missing authorization check in the themefunction WordPress Event Manager, Event Calendar and Booking Plugin (eventin‑pro). When a user with insufficient privileges accesses the plugin’s deletion functionality, the system refuses to verify proper authorization, allowing the attacker to delete arbitrary content such as posts, events, or bookings. The weakness is identified as CWE‑862 (Missing Authorization). The description explicitly states that incorrectly configured access control security levels enable this action; the likely attack requires at least a logged‑in user with some level of access, though the extent of required privileges is not specified.

All installations of the WordPress Event Manager, Event Calendar and Booking Plugin from any version up to and including 4.0.24 are affected. No vendor-specified sub‑release or patch information is provided beyond the upper bound of 4.0.24.

The CVSS score of 7.5 signals high severity, indicating significant risk if exploited. The EPSS score of less than 1% suggests that, as of this assessment, exploitation is currently unlikely, but the possibility remains. The vulnerability is not listed in the CISA KEV catalog, meaning it is not known to be actively exploited by malicious groups. The exploit path is application‑level; an attacker must gain or abuse some form of authenticated or misconfigured account to trigger the deletion of content. Because the attack requires access to the plugin’s deletion endpoint, providing proper role checks and restricting user capabilities would mitigate the exploitation vector.