Impact
The WP Eventin plugin contains a broken access control flaw where user authentication is not verified before performing create, modify, or delete operations on event data. This vulnerability allows an attacker with no credentials to gain unauthorized access to privileged event functions, potentially leading to data loss, defacement, or exposure of sensitive event information. The weakness is classified as CWE-862, improper authorization handling.
Affected Systems
The flaw affects all installations of the WordPress Eventin Plugin provided by Arraytics:WP Event Solution that are running version 4.1.8 or earlier, irrespective of the underlying WordPress core version.
Risk and Exploitability
The CVSS score of 7.5 indicates a high impact over the confidentiality and integrity of event data. The EPSS score is below 1%, suggesting that real-world exploitation has been limited or not observed yet, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves unauthenticated HTTP requests to the plugin's API endpoints; an attacker can craft requests to trigger the privileged actions without authentication. The lack of access checks lowers the barrier for exploitation, but the low EPSS indicates it has not yet attracted widespread attacks.
OpenCVE Enrichment