CVE-2025-47565

The EventON plugin for WordPress versions up to and including 4.9.9 contains a missing authorization vulnerability. This flaw arises because certain plugin functions lack proper access control checks, such as authentication or nonce verification, allowing unprivileged users to perform actions that should be restricted to higher-privileged roles [1].

Exploitation does not require any authentication; unauthenticated attackers can send crafted HTTP requests to vulnerable endpoints. The attack complexity is low, and no special prerequisites are needed beyond network access to the target site. This makes the vulnerability attractive for mass-exploit campaigns targeting thousands of WordPress installations [1].

Successful exploitation can lead to unauthorized access to sensitive data, modification of plugin settings, or other actions that compromise site security. The CVSS v3 score of 6.3 (Medium) reflects the moderate impact, but the vulnerability is expected to be actively exploited in automated attacks [1].

Users are strongly advised to update the EventON plugin to a patched version beyond 4.9.9 as soon as possible. If an immediate update is not feasible, implementing additional access controls or using a web application firewall can help mitigate the risk until the update is applied [1].