CVE-2025-57987

Vulnerability

Overview

The WP Events Manager plugin for WordPress, versions up to and including 2.2.1, contains a missing authorization vulnerability. The issue stems from a broken access control mechanism, where certain functions lack proper permission checks or nonce token validation. This allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without needing any special authentication, as the missing authorization check does not verify the user's role or capabilities. The attack surface is broad, as the plugin is widely used, and the vulnerability can be triggered through standard HTTP requests. No advanced technical skills are required to leverage this flaw [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying event data, accessing or other administrative functions, depending on the specific missing check. While the CVSS score is 5.3 (Medium), the vulnerability is considered low severity in the WordPress context, but it can still be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released version 2.2.2, which addresses the missing authorization issue. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].