CVE-2025-60121

Vulnerability

Description CVE-2025-60121 is a missing authorization vulnerability in the WooEvents plugin for WordPress, affecting versions up to and including 4.1.7. The plugin fails to properly enforce access control checks, allowing unprivileged users to execute actions that should require higher privileges. This is a classic broken access control issue, where the plugin does not adequately verify authentication or nonce tokens in certain functions [1].

Exploitation and

Attack Surface Attackers can exploit this vulnerability without requiring authentication, as the missing authorization checks allow any unauthenticated user to perform privileged actions. The attack vector is over the network, and the low complexity makes it easily exploitable. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

If successfully exploited, an attacker can gain access to functions and data that should be restricted to higher-privileged users, potentially leading to unauthorized data modification or disclosure. The CVSS v3 base score is 5.3 (Medium), reflecting the potential for unauthorized access but limited impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor has released a fix in version 4.1.8 of the WooEvents plugin. Users are strongly advised to update immediately to mitigate the vulnerability. For those unable to update, it is recommended to seek assistance from hosting providers or web developers. Patchstack users can enable auto-updates for vulnerable plugins [1].