{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68007", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:49.130Z", "datePublished": "2026-01-22T16:52:00.859Z", "dateUpdated": "2026-04-28T16:14:25.834Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "event-espresso-decaf", "product": "Event Espresso 4 Decaf", "vendor": "Event Espresso", "versions": [{"changes": [{"at": "5.0.53.decaf", "status": "unaffected"}], "lessThanOrEqual": "5.0.37.decaf", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:22.035Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.</p>"}], "value": "Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:25.834Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress Event Espresso 4 Decaf plugin <= 5.0.37.decaf - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T21:32:54.685814Z", "id": "CVE-2025-68007", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:26:45.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68007", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T21:32:54.685814Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:32:48.845Z"}}], "cna": {"title": "WordPress Event Espresso 4 Decaf plugin <= 5.0.37.decaf - Settings Change vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Event Espresso", "product": "Event Espresso 4 Decaf", "versions": [{"status": "affected", "changes": [{"at": "5.0.53.decaf", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.37.decaf"}], "packageName": "event-espresso-decaf", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:22.035Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.625Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68007", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:26:45.564Z", "dateReserved": "2025-12-15T10:00:49.130Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:00.859Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Event Espresso Event Espresso 4 Decaf event-espresso-decaf permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Event Espresso 4 Decaf: desde n/a hasta &lt;= 5.0.37.decaf."}], "id": "CVE-2025-68007", "lastModified": "2026-04-27T19:16:21.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:06.963", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:26:44.375281+00:00", "value": {"mitigation_remediation": ["Update the plugin to a version above\u202f5.0.37.decaf, if one is available or the vendor discloses a patch", "If an update is not possible, restrict the plugin\u2019s administrative interface to trusted user roles or implement role\u2011based access controls in WordPress to ensure only authorized users can modify settings", "Audit and monitor plugin configuration changes regularly to detect unauthorized modifications and investigate any anomalies"], "summary": {"action": "Patch Update", "impact": "Privilege Escalation via Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "Affected by Event Espresso:Event Espresso 4 Decaf for versions from n/a through\u202f\u2264\u202f5.0.37.decaf. Any installation of the plugin on WordPress that falls within this version range is susceptible.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows an attacker to change plugin settings within WordPress Event Espresso 4 Decaf. The flaw is based on incorrectly configured access control security levels, enabling an unauthenticated or low\u2011privilege user to perform privileged actions. The impact is that an attacker could alter configuration options, potentially compromising site functionality or enabling further attacks.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score of <\u202f1\u202f% suggests a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA KEV. Based on the description the likely attack vector is a web\u2011based request to the plugin\u2019s settings endpoint, and the exploitation requires the attacker to be authenticated with a role that is incorrectly granted permission to change settings. Because the flaw is an authorization bypass (CWE\u2011862), attackers who can reach the plugin\u2019s administrative interface can modify configuration data without proper checks."}}}}, "created": "2026-01-23T16:31:21.815256+00:00", "updated": "2026-04-27T21:30:13.899251+00:00", "vendors": ["eventespresso", "eventespresso$PRODUCT$event_espresso_4_decaf", "wordpress", "wordpress$PRODUCT$wordpress"]}