VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2025-68045

CVE-2025-68045

Description

Unauthenticated broken access control in WP Event Solution plugin ≤4.1.12 allows unprivileged attackers to execute higher-privileged actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated broken access control in WP Event Solution plugin ≤4.1.12 allows unprivileged attackers to execute higher-privileged actions.

Vulnerability

The WP Event Solution plugin for WordPress versions up to and including 4.1.12 contains a broken access control vulnerability [1]. This flaw arises from missing authorization, authentication, or nonce token checks in certain functions, allowing unauthenticated users to trigger actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without any authentication or user interaction [1]. By sending specially crafted HTTP requests to the affected plugin endpoints, the attacker can bypass access controls and execute privileged operations [1]. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation enables an attacker to perform actions normally restricted to higher-privileged users, such as administrators [1]. This could lead to unauthorized data disclosure, modification, or other malicious activities depending on the specific function lacking access control [1].

Mitigation

The vulnerability is fixed in version 4.1.13 of the WP Event Solution plugin [1]. Users are advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until a patch is applied [1].

References
  1. Broken Access Control in WordPress WP Event SOlution Plugin

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.