{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:32.245Z", "datePublished": "2026-03-25T16:14:22.085Z", "dateUpdated": "2026-03-25T16:14:22.085Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "eventprime-event-calendar-management", "product": "EventPrime", "vendor": "Metagauss", "versions": [{"changes": [{"at": "4.2.7.0", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.6.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:01.311Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects EventPrime: from n/a through <= 4.2.6.0.</p>"}], "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.085Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-6-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress EventPrime plugin <= 4.2.6.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0."}], "id": "CVE-2025-69358", "lastModified": "2026-03-25T17:16:27.830", "metrics": {}, "published": "2026-03-25T17:16:27.830", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-6-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.6.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.2.7.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "EventPrime", "source": "cna", "vendor": "Metagauss"}, "product": "eventprime", "vendor": "metagauss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:28:43.158267+00:00", "value": {"mitigation_remediation": ["Upgrade EventPrime to a version newer than 4.2.6.0.", "Verify that role\u2011based access controls for event management are enabled after the upgrade.", "Restrict the capabilities of user roles that should not modify events (e.g., limit \"Editor\" and \"Author\" roles).", "Review site logs for anomalous event creation, editing, or deletion activities.", "If an upgrade is temporarily infeasible, consider disabling event editing features for all roles except administrators as a temporary mitigation."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access through Broken Access Control"}, "threat_synthesis": {"affected_systems": "All WordPress sites that host the Metagauss EventPrime event calendar management plugin at version 4.2.6.0 or earlier are affected. This includes any installation that has not upgraded beyond that version. No other products or platforms are listed in the advisory.", "description_and_impact": "The vulnerability in the Metagauss EventPrime WordPress plugin allows wrong or missing authorization checks on event data operations. An attacker or a user with insufficient privileges can view, edit, or delete events, potentially exposing sensitive information or disrupting site content. The weakness is a classic Missing Authorization flaw (CWE\u2011862).", "risk_and_exploitability": "EPSS information is not available and the vulnerability does not appear in the CISA KEV catalog, but the lack of proper access control dominantly raises the risk of exploitation. The plugin\u2019s functions are exposed over the web, so the likely attack vector is remote via HTTP requests. An attacker who can authenticate or even act as an existing low\u2011privileged user may exploit the flaw to gain elevated capabilities. While a CVSS score is not supplied, typical impacts for this type of missing authorization are regarded as high due to the potential for data tampering and denial of service."}}}}, "created": "2026-03-25T21:35:31.603508+00:00", "updated": "2026-03-26T11:40:45.605089+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$eventprime", "wordpress", "wordpress$PRODUCT$wordpress"]}