This vulnerability is a missing authorization flaw in Webnus Inc.'s Modern Events Calendar plugin, enabling users to bypass intended access controls. The flaw arises from incorrectly configured security levels, which allows unauthenticated or low‑privileged users to gain unauthorized access to restricted functionality or data exposed by the plugin. The result is that sensitive event information, user data, or configuration settings may be read or modified, potentially leading to data exposure or privilege escalation within the WordPress site.

The issue affects all installations of the Modern Events Calendar plugin version 7.29.0 and earlier. The affected vendor is Webnus Inc. and the product is the Modern Events Calendar plugin for WordPress.

The CVSS score of 5.3 classifies the flaw as moderate severity; no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based request to the plugin's endpoints and the attack requires no special initial condition beyond visiting the site. Because any user could exploit the misconfiguration, the risk is that even attackers with no credentials could read or modify protected data, while authenticated users with insufficient permissions could still execute functions intended for higher‑privilege accounts. The lack of a known exploit reduces the immediate threat, but the moderate CVSS indicates that exploitation would still provide meaningful access to plugin data.