CVE-2025-8091

The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
WordfenceCNA
4.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar_generator.php#L954
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-event.php#L39
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L32
https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L81
https://wordpress.org/plugins/eventon-lite/
https://www.wordfence.com/threat-intel/vulnerabilities/id/421fcee2-a05d-4486-837e-ddee3d73d737?source=cve