{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7663", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T20:54:40.540Z", "datePublished": "2025-11-08T03:27:47.659Z", "dateUpdated": "2026-04-08T16:53:12.750Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:12.750Z"}, "affected": [{"vendor": "ovatheme", "product": "Ovatheme Events Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more."}], "title": "Ovatheme Events Manager <= 1.8.6 - Missing Authorization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53f12e61-fdb0-4838-b733-fc4d7a4ff016?source=cve"}, {"url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-07-14T21:10:02.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T15:22:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T21:39:41.964680Z", "id": "CVE-2025-7663", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:39:48.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7663", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T21:39:41.964680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T21:39:44.663Z"}}], "cna": {"title": "Ovatheme Events Manager <= 1.8.6 - Missing Authorization", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "ovatheme", "product": "Ovatheme Events Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T21:10:02.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T15:22:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53f12e61-fdb0-4838-b733-fc4d7a4ff016?source=cve"}, {"url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579"}], "descriptions": [{"lang": "en", "value": "The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:12.750Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7663", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:12.750Z", "dateReserved": "2025-07-14T20:54:40.540Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T03:27:47.659Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more."}], "id": "CVE-2025-7663", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T04:15:45.597", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53f12e61-fdb0-4838-b733-fc4d7a4ff016?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:47:58.556001+00:00", "value": {"mitigation_remediation": ["Update Ovatheme Events Manager to the latest release that includes the missing capability check.", "If a version update is not possible, remove or disable the plugin to eliminate exposed AJAX endpoints.", "Monitor WordPress access and error logs for attempts to delete or download ticket files, indicating potential exploitation."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Data Deletion and Disclosure"}, "threat_synthesis": {"affected_systems": "All released versions of Ovatheme Events Manager up to and including 1.8.6 are affected. The plugin is a WordPress component that can be installed from the theme marketplace or WordPress repository. Users running any of these versions on their website are at risk until they upgrade or remove the plugin.", "description_and_impact": "The Ovatheme Events Manager plugin contains a missing capability check in several functions within its AJAX handler file, allowing any user, including unauthenticated visitors, to perform privileged operations. An attacker can trigger these functions to delete ticket files or download ticket data, resulting in loss or exposure of sensitive event information. The flaw is classified as a missing authorization control (CWE-862).", "risk_and_exploitability": "The base CVSS score is 6.5, indicating moderate severity, while the EPSS indicates a very low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw enables unauthenticated access through public AJAX endpoints, an attacker who discovers the exposed URL paths could exploit the issue without needing to authenticate. The potential impact includes deletion of ticket files and unauthorized disclosure of ticket content."}}}}, "created": "2025-11-10T09:33:29.985782+00:00", "updated": "2026-04-21T02:00:12.280832+00:00", "vendors": ["ovatheme", "ovatheme$PRODUCT$events_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}