Description
The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets for WordPress is vulnerable to sensitive information exposure via its get_events REST API endpoint. The flaw allows an unauthenticated attacker to retrieve confidential details such as virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration for events that are in draft, pending, or private status. This disclosure can lead to privacy violations and compromise of event logistics that remain otherwise protected from public access.

Affected Systems

The vulnerability affects all installations of the Event Koi Lite plugin for WordPress up to and including version 1.3.13.1. Administrators running these older versions should review their plugin versions and update if possible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1 % suggests limited observed exploitation. Although it is not listed in the CISA KEV catalog, the attack surface is open to any unauthenticated user who can reach the REST API. If exploited, an attacker can harvest sensitive data, potentially leading to privacy breaches and operational disruptions. The attack vector is inferred to be an unauthenticated HTTP request to the get_events endpoint, which the plugin currently does not protect with an authorization check as documented by CWE‑862.

Generated by OpenCVE AI on June 18, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Event Koi Lite to the latest version (≥ 1.3.14) as soon as a patch is available.
  • Restrict the get_events API endpoint so that only authenticated users can retrieve event details, especially for draft, pending, and private events.
  • Ensure that the plugin’s permission checks enforce proper authorization before exposing sensitive event data.

Generated by OpenCVE AI on June 18, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.
Title Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via REST API Endpoints
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T12:34:33.636Z

Reserved: 2026-05-28T18:30:45.769Z

Link: CVE-2026-10029

cve-icon Vulnrichment

Updated: 2026-06-18T12:34:30.275Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T17:45:13Z

Weaknesses