CVE-2025-8091
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
15/08/2025
Last modified:
15/08/2025
Description
The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar_generator.php#L954
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-event.php#L39
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L32
- https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L81
- https://wordpress.org/plugins/eventon-lite/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/421fcee2-a05d-4486-837e-ddee3d73d737?source=cve