Skip to main content

Event Koi Lite CVE-2026-10029

| EUVDEUVD-2026-37841 MEDIUM
Missing Authorization (CWE-862)
2026-06-18 Wordfence GHSA-8968-x27c-fgxm
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated endpoint, no complexity barrier, low confidentiality impact from partial private data disclosure; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:18 vuln.today
CVE Published
Jun 18, 2026 - 04:31 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Event Koi Lite - Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.

AnalysisAI

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Event Koi Lite
Delivery
Send unauthenticated GET to get_events endpoint
Exploit
Receive JSON with all draft/private/pending events
Execution
Extract virtual meeting URLs and GPS coordinates
Impact
Use or disclose sensitive operational data

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the plugin being installed and active on the WordPress site: the get_events endpoint is reachable over the network without authentication (CVSS PR:N, AC:L), requires no user interaction, and no specific non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) reflects an AV:N/AC:L/PR:N/UI:N configuration with only low confidentiality impact and no integrity or availability impact - this is an accurate characterisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a standard HTTP GET request to the Event Koi Lite get_events API endpoint on a target WordPress site - no credentials, tokens, or special headers required. The endpoint returns a JSON payload containing all draft, pending, and private events, including virtual meeting join URLs for unreleased events and precise GPS coordinates for private physical venues. …
Remediation The primary remediation is to update the Event Koi Lite plugin to a version beyond 1.3.13.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy