CVE-2026-25389 - Vulnerability Details

- WordPress EventPrime plugin <= 4.2.8.3 - Sensitive Data Exposure vulnerability

Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.8.3.

Published: 2026-02-19

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Metagauss EventPrime event scheduling plugin versions up to 4.2.8.3 allows an attacker to retrieve embedded sensitive system information, effectively leaking confidential data. This weakness corresponds to CWE‑497 and permits unauthorized disclosure of data that should be protected from the control sphere. The vendor documentation indicates that the issue stems from an exposure of sensitive system information during plugin operation, but the exact mechanism is not detailed in the public description.

Affected Systems

The vulnerability impacts the EventPrime plugin for WordPress developed by Metagauss. All releases from the first public version up to and including 4.2.8.3 are vulnerable. Users running any of these versions should verify the installed plugin version and consider upgrading if still in use.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates a very low current likelihood of exploitation. It is not listed in the CISA KEV catalog, meaning no publicly known exploits are documented. The attack vector is not described explicitly; however, based on the nature of the vulnerability it is inferred that the flaw could be triggered by accessing plugin‑related endpoints that expose internal data, so it may be exploitable remotely through the WordPress front‑end or back‑end depending on configuration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Metagauss

EventPrime

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.8.3

No data.

Vendor Product Confidence Versions

Metagauss

Eventprime

95%

Version	Status	Scheme	Platform
`[0,4.2.8.3]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest EventPrime plugin update (4.2.8.4 or later) to eliminate the sensitive data exposure flaw.
If an immediate update is not feasible, disable or restrict access to any plugin pages or API endpoints that display the exposed data by editing the plugin’s configuration or the WordPress site’s access controls.
As a temporary precaution, scan the site for any inadvertently exposed files or database contents that could be leveraged by the vulnerability, and remove or secure them promptly.

Generated by OpenCVE AI on April 16, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-3-sensitive-data-exposure-vulnerability?_s_id=cve

History

Sat, 28 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Metagauss Metagauss eventprime Wordpress Wordpress wordpress
Vendors & Products		Metagauss Metagauss eventprime Wordpress Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.8.3.
Title		WordPress EventPrime plugin <= 4.2.8.3 - Sensitive Data Exposure vulnerability
Weaknesses		CWE-497
References		https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-3-sensitive-data-exposure-vulnerability?_s_id=cve

Subscriptions

Metagauss Eventprime

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-02-19T08:27:02.493Z

Updated: 2026-04-28T16:14:57.654Z

Reserved: 2026-02-02T12:53:07.231Z

Link: CVE-2026-25389

Vulnrichment

Updated: 2026-02-27T16:23:21.528Z

NVD

Status : Deferred

Published: 2026-02-19T09:16:21.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25389

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses

CWE-497

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object