{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69348", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:28.143Z", "datePublished": "2026-01-06T16:36:39.616Z", "dateUpdated": "2026-04-28T16:14:38.653Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "countdown-for-the-events-calendar", "product": "The Events Calendar Countdown Addon", "vendor": "CoolHappy", "versions": [{"changes": [{"at": "1.4.16", "status": "unaffected"}], "lessThanOrEqual": "1.4.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:13.946Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15.</p>"}], "value": "Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.653Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The Events Calendar Countdown Addon plugin <= 1.4.15 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T19:48:31.219544Z", "id": "CVE-2025-69348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:52:18.265Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T19:48:31.219544Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:49:54.256Z"}}], "cna": {"title": "WordPress The Events Calendar Countdown Addon plugin <= 1.4.15 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CoolHappy", "product": "The Events Calendar Countdown Addon", "versions": [{"status": "affected", "changes": [{"at": "1.4.16", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.15"}], "packageName": "countdown-for-the-events-calendar", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:13.946Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:00.973Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69348", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:52:18.265Z", "dateReserved": "2025-12-31T20:12:28.143Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:39.616Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15."}], "id": "CVE-2025-69348", "lastModified": "2026-04-27T21:16:24.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:47.230", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T01:00:13.475589+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.4.15 where the access control checks have been applied.", "If an immediate upgrade is not possible, restrict access to the Countdown Addon\u2019s URLs to authenticated users only by adjusting WordPress capabilities or adding access\u2011control rules in your web server configuration.", "Review the WordPress user roles that have permission to use the Countdown Addon and remove any unnecessary privileges that could allow a non\u2011admin user to access or modify event data."], "summary": {"action": "Update plugin", "impact": "Authorization bypass"}, "threat_synthesis": {"affected_systems": "CoolHappy The Events Calendar Countdown Addon versions from the earliest available through 1.4.15 are affected. Users running any of these versions should expect the access control flaw to be present.", "description_and_impact": "The vulnerability is a missing authorization flaw in CoolHappy The Events Calendar Countdown Addon, as described in the CVE. The description states that incorrectly configured access control security levels can be exploited, but it does not specify whether an authenticated or unauthenticated user can invoke privileged functionality. Based on the description, it is inferred that a user who can submit crafted requests to privileged endpoints may be able to access or manipulate data that should be restricted. The weakness is catalogued as CWE\u2011862 and results in a low CVSS score of 4.3, indicating that, while it does not enable arbitrary code execution, it can impact confidentiality, integrity, or availability of scheduled event information.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a low severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a remote web\u2011application exploit, where an attacker manipulates URLs or form fields to access restricted functions. The CVE description does not specify whether authentication is required; it only notes a missing authorization check. Based on the description, it is inferred that an attacker who can send crafted requests to the affected endpoints may be able to trigger the flaw, but it is unclear if this requires user authentication."}}}}, "created": "2026-01-07T10:08:47.035534+00:00", "updated": "2026-04-29T01:15:44.718645+00:00", "vendors": ["coolhappy", "coolhappy$PRODUCT$the_events_calendar_countdown_addon", "wordpress", "wordpress$PRODUCT$wordpress"]}