{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14029", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T14:29:13.860Z", "datePublished": "2026-01-17T04:34:00.530Z", "dateUpdated": "2026-04-08T16:34:30.673Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:30.673Z"}, "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter."}], "title": "Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2025-12-04T14:44:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-16T15:39:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T18:30:48.071407Z", "id": "CVE-2025-14029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:31:08.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T18:30:48.071407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:31:01.870Z"}}], "cna": {"title": "Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "jackdewey", "product": "Community Events", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T14:44:23.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-16T15:39:05.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-17T04:34:00.530Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14029", "state": "PUBLISHED", "dateUpdated": "2026-01-20T18:31:08.439Z", "dateReserved": "2025-12-04T14:29:13.860Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-17T04:34:00.530Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter."}, {"lang": "es", "value": "El plugin Community Events para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n ajax_admin_event_approval() en todas las versiones hasta la 1.5.6, inclusive. Esto hace posible que atacantes no autenticados aprueben eventos arbitrarios a trav\u00e9s del par\u00e1metro 'eventlist'."}], "id": "CVE-2025-14029", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-17T05:16:10.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:09:33.569211+00:00", "value": {"mitigation_remediation": ["Upgrade the Community Events plugin to a version newer than 1.5.6 that includes the missing capability check", "If upgrading is not immediately feasible, disable the Community Events plugin entirely to prevent the vulnerable functionality from being invoked", "As a temporary measure, apply server\u2011side restrictions such as firewall rules or .htaccess directives to deny unauthenticated access to the /wp-admin/admin-ajax.php endpoint for the Community Events plugin"], "summary": {"action": "Apply Fix", "impact": "Unauthorized event approval"}, "threat_synthesis": {"affected_systems": "All installations of the Community Events plugin released by jackdewey, version 1.5.6 and earlier, are affected. WordPress sites running any of these versions without upgrading to a newer release are exposed.", "description_and_impact": "The Community Events WordPress plugin lacks a capability check in its ajax_admin_event_approval() function, which allows an unauthenticated attacker to approve any event by supplying an arbitrary eventlist parameter. The flaw permits manipulation of event statuses and could be used to publish or promote events without proper authorization. The weakness corresponds to CWE\u2011862 \"Missing Authorization.\"", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1\u202f% signals a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw via an unauthenticated HTTP request to the plugin\u2019s AJAX endpoint, passing a crafted eventlist parameter. Because no authentication or authorization checks exist, the attack can be carried out without credentials, making it a straightforward remote compromise of event data."}}}}, "created": "2026-01-19T09:19:37.992533+00:00", "updated": "2026-04-22T20:15:20.533204+00:00", "vendors": ["jackdewey", "jackdewey$PRODUCT$community_events", "wordpress", "wordpress$PRODUCT$wordpress"]}