{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6366", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-19T13:43:14.885Z", "datePublished": "2025-08-26T14:26:53.944Z", "dateUpdated": "2026-04-08T16:54:52.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:52.168Z"}, "affected": [{"vendor": "ovatheme.com", "product": "Event List", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator."}], "title": "Event List <= 2.0.4 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5998520b-62fd-4b3d-9b78-6363b72b406d?source=cve"}, {"url": "https://themeforest.net/item/meup-marketplace-events-wordpress-theme/24770641"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-08-25T19:03:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-26T15:07:36.255272Z", "id": "CVE-2025-6366", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T15:07:45.824Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6366", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-26T15:07:36.255272Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T15:07:41.278Z"}}], "cna": {"title": "Event List <= 2.0.4 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ovatheme.com", "product": "Event List", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-25T19:03:03.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5998520b-62fd-4b3d-9b78-6363b72b406d?source=cve"}, {"url": "https://themeforest.net/item/meup-marketplace-events-wordpress-theme/24770641"}], "descriptions": [{"lang": "en", "value": "The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-26T14:26:53.944Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6366", "state": "PUBLISHED", "dateUpdated": "2025-08-26T15:07:45.824Z", "dateReserved": "2025-06-19T13:43:14.885Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-26T14:26:53.944Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator."}, {"lang": "es", "value": "El complemento Event List para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 2.0.4 incluida. Esto se debe a que el complemento no valida correctamente las capacidades del usuario antes de actualizar su perfil en la funci\u00f3n el_update_profile(). Esto permite que atacantes autenticados, con acceso de suscriptor o superior, modifiquen sus capacidades a las de un administrador."}], "id": "CVE-2025-6366", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-26T15:15:48.710", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/meup-marketplace-events-wordpress-theme/24770641"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5998520b-62fd-4b3d-9b78-6363b72b406d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:00:23.218136+00:00", "value": {"mitigation_remediation": ["Upgrade Event List to a version newer than 2.0.4 or apply the vendor\u2019s official patch if available.", "Restrict usage of el_update_profile() by disabling or limiting profile update features for Subscriber and lower roles until the fix is deployed.", "If an immediate upgrade is not possible, review all Subscriber accounts and temporarily reduce their capabilities to a non-administrative role or remove them until the patch is applied, ensuring no user can elevate privileges via this path."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects every WordPress site that has Event List version 2.0.4 or earlier installed by ovatheme.com. Any account that can log in as a Subscriber or higher is a potential target for privilege escalation.", "description_and_impact": "The Event List plugin for WordPress is vulnerable due to a lack of capability validation in the el_update_profile() function. Authenticated users with Subscriber-level access or higher can modify their role to Administrator, giving them full administrative control over the site, including installing plugins, altering settings, and accessing sensitive data.", "risk_and_exploitability": "With a CVSS score of 8.8 the vulnerability is considered high severity. The EPSS score of less than 1% suggests exploitation is unlikely in the near term, and the flaw is not yet listed in CISA KEV. Because the attack requires only a normal profile update by an authenticated user, the exploitation path is straightforward for those who can log in."}}}}, "created": "2025-08-27T11:21:41.994316+00:00", "updated": "2026-04-22T04:15:07.529284+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}