CVE-2025-8091

medium

Description

The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/421fcee2-a05d-4486-837e-ddee3d73d737?source=cve

https://wordpress.org/plugins/eventon-lite/

https://plugins.trac.wordpress.org/changeset/3345262

https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L81

https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-evo-shortcodes.php#L32

https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/class-event.php#L39

https://plugins.trac.wordpress.org/browser/eventon-lite/trunk/includes/calendar/class-calendar_generator.php#L954

Details

Source: Mitre, NVD

Published: 2025-08-15

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00033