Description
The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more.
Published: 2025-11-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Deletion and Disclosure
Action: Patch Immediately
AI Analysis

Impact

The Ovatheme Events Manager plugin contains a missing capability check in several functions within its AJAX handler file, allowing any user, including unauthenticated visitors, to perform privileged operations. An attacker can trigger these functions to delete ticket files or download ticket data, resulting in loss or exposure of sensitive event information. The flaw is classified as a missing authorization control (CWE-862).

Affected Systems

All released versions of Ovatheme Events Manager up to and including 1.8.6 are affected. The plugin is a WordPress component that can be installed from the theme marketplace or WordPress repository. Users running any of these versions on their website are at risk until they upgrade or remove the plugin.

Risk and Exploitability

The base CVSS score is 6.5, indicating moderate severity, while the EPSS indicates a very low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw enables unauthenticated access through public AJAX endpoints, an attacker who discovers the exposed URL paths could exploit the issue without needing to authenticate. The potential impact includes deletion of ticket files and unauthorized disclosure of ticket content.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ovatheme Events Manager to the latest release that includes the missing capability check.
  • If a version update is not possible, remove or disable the plugin to eliminate exposed AJAX endpoints.
  • Monitor WordPress access and error logs for attempts to delete or download ticket files, indicating potential exploitation.

Generated by OpenCVE AI on April 21, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 13 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ovatheme
Ovatheme events Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Ovatheme
Ovatheme events Manager Plugin
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more.
Title Ovatheme Events Manager <= 1.8.6 - Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ovatheme Events Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:12.750Z

Reserved: 2025-07-14T20:54:40.540Z

Link: CVE-2025-7663

cve-icon Vulnrichment

Updated: 2025-11-13T21:39:44.663Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:45.597

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses