Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable unauthenticated endpoint, no complexity barrier, low confidentiality impact from partial private data disclosure; no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Event Koi Lite - Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.
AnalysisAI
Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the plugin being installed and active on the WordPress site: the get_events endpoint is reachable over the network without authentication (CVSS PR:N, AC:L), requires no user interaction, and no specific non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) reflects an AV:N/AC:L/PR:N/UI:N configuration with only low confidentiality impact and no integrity or availability impact - this is an accurate characterisation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a standard HTTP GET request to the Event Koi Lite get_events API endpoint on a target WordPress site - no credentials, tokens, or special headers required. The endpoint returns a JSON payload containing all draft, pending, and private events, including virtual meeting join URLs for unreleased events and precise GPS coordinates for private physical venues. … |
| Remediation | The primary remediation is to update the Event Koi Lite plugin to a version beyond 1.3.13.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37841
GHSA-8968-x27c-fgxm