{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3527", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-11T17:33:43.427Z", "datePublished": "2025-05-17T11:17:16.160Z", "dateUpdated": "2026-04-08T16:53:23.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:23.165Z"}, "affected": [{"vendor": "EventON", "product": "EventON (Pro) - WordPress Virtual Event Calendar Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6."}], "title": "EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/549ca9cf-0183-4c19-9bd5-b6d55a69df31?source=cve"}, {"url": "https://codecanyon.net/item/eventon-wordpress-event-calendar-plugin/1211017#item-description__change-log"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "anhchangmutrang"}], "timeline": [{"time": "2025-05-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T14:57:19.370145Z", "id": "CVE-2025-3527", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:57:27.177Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-19T14:57:19.370145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:57:24.358Z"}}], "cna": {"title": "EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "anhchangmutrang"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "EventON", "product": "EventON (Pro) - WordPress Virtual Event Calendar Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/549ca9cf-0183-4c19-9bd5-b6d55a69df31?source=cve"}, {"url": "https://codecanyon.net/item/eventon-wordpress-event-calendar-plugin/1211017#item-description__change-log"}], "descriptions": [{"lang": "en", "value": "The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:23.165Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3527", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:23.165Z", "dateReserved": "2025-04-11T17:33:43.427Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-17T11:17:16.160Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:myeventon:eventon:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F7BA38FE-D0DF-4433-8184-E0CD618C2C00", "versionEndIncluding": "4.9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6."}, {"lang": "es", "value": "El complemento EventON Pro para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en el archivo 'assets/lib/settings/settings.js' en todas las versiones hasta la 4.9.6 incluida. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. La vulnerabilidad se corrigi\u00f3 parcialmente en la versi\u00f3n 4.9.6."}], "id": "CVE-2025-3527", "lastModified": "2025-06-04T20:10:33.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-17T12:15:24.810", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://codecanyon.net/item/eventon-wordpress-event-calendar-plugin/1211017#item-description__change-log"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/549ca9cf-0183-4c19-9bd5-b6d55a69df31?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:32:33.883064+00:00", "value": {"mitigation_remediation": ["Apply the latest EventON Pro release (4.9.7 or newer) which removes the missing capability check", "Revoke unnecessary modification permissions from the Subscriber role if the plugin retains them in the latest version", "Implement a Content Security Policy that disallows inline scripts and mitigates XSS injection"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via Unauthorized Capability"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the EventON Pro calendar plugin installed on any version through 4.9.6. The plugin can be downloaded from the CodeCanyon marketplace and is commonly used in public\u2011facing websites running WordPress.", "description_and_impact": "The EventON Pro WordPress plugin, versions up to 4.9.6, has a missing capability check that allows any authenticated user with a Subscriber role or higher to inject arbitrary web scripts into pages. These scripts execute whenever an affected page is viewed, potentially giving an attacker the ability to steal session cookies, deface content, or perform further malicious actions within the victim site. The weakness is a classic missing authorization flaw, classified as CWE\u2011862.", "risk_and_exploitability": "With a CVSS score of 6.4, the vulnerability is considered medium severity. The EPSS score is less than 1\u202f%, indicating a low current exploitation probability, and the issue is not listed in CISA\u2019s KEV catalog. However, because the flaw permits stored script injection via a role that is granted to typical site subscribers, an attacker only needs legitimate credentials to exploit it, which may make it attractive in targeted attacks."}}}}, "created": "2026-04-22T01:45:05.618149+00:00", "updated": "2026-04-22T01:45:05.618163+00:00", "vendors": []}