Medium severity5.3NVD Advisory· Published Jan 13, 2026· Updated Apr 15, 2026

CVE-2025-14507

Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

Affected products

WordPress/Eventprime Event Calendar Managementinferred
Range: <=4.2.7.0
Package: https://wordpress.org/plugins/eventprime-event-calendar-management

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.phpnvd
plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.phpnvd
plugins.trac.wordpress.org/changeset/3422587/nvd
plugins.trac.wordpress.org/changeset/3432454/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bbnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000