The Vulnerability is a missing authorization flaw that allows attackers to bypass intended access controls within the Event Rocket plugin. Exposing functionality that should be restricted can let an attacker view or manipulate event data, edit entries, or trigger actions for which they do not possess proper privileges. The weakness corresponds to improper enforcement of authorizations (CWE‑862).

This issue affects the WordPress Event Rocket plugin distributed by Barry, versions up to and including 3.3. The problem is present in every release from the earliest visible through 3.3. No specific sub‑version or build identifier is provided beyond the overall version cap.

The CVSS score of 4.3 indicates moderate impact, combined with an EPSS score of less than 1 % suggesting low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a web attacker who can construct requests to the plugin’s endpoints that would normally require higher privilege. If the attacker has authenticated as a user with any role, the broken access control may allow them to perform actions beyond their granted capabilities. Successful exploitation could compromise confidentiality and integrity of event data, or create denial‑of‑service conditions if the attacker floods certain operations.