The Event Organiser plugin for WordPress versions 3.12.8 and earlier contains a missing authorization check that allows attackers to bypass normal access controls. An attacker can use the web interface of a site that has the vulnerable plugin installed to create, modify, or delete events without needing administrative privileges. This flaw exposes the plugin's event‑creation functionality to unauthenticated or low‑privileged users, threatening the integrity of event data and potentially disrupting event scheduling. The likely attack vector is through the plugin’s web interface on a publicly accessible WordPress site, where an unauthenticated user could submit crafted requests to the event‑management endpoints. Because the description does not include code‑execution details, the impact is focused on unauthorized data manipulation rather than remote code execution. The predefined CWE for this issue is CWE‑862, which categorises missing authorization as a fundamental access‑control weakness.

The vulnerability affects the Event Organiser plugin developed by Stephen Harris. All installations of the plugin with a version of 3.12.8 or older are susceptible, including any version from the earliest release through 3.12.8.

The CVSS score of 4.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating that it is not part of a known, actively exploited exploit set. Attackers would need to target a WordPress site running the vulnerable plugin and use the exposed event‑management endpoints to carry out the attack, which requires only normal web access. Because the flaw grants unauthorized data manipulation, the risk to the affected systems is significant if the vulnerability is exploited.