Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.
AnalysisAI
Missing authorization in the fullworks Display Eventbrite Events WordPress plugin through version 6.5.6 allows unauthenticated remote attackers to modify plugin data via incorrectly configured access control mechanisms. The vulnerability enables integrity attacks (CWE-862: Missing Authorization) without requiring authentication or user interaction, affecting the plugin's REST API or admin functions. EPSS score of 0.02% indicates extremely low real-world exploitation probability despite the network-accessible attack vector.
Technical ContextAI
The Display Eventbrite Events plugin (CPE: cpe:2.3:a:fullworks:display_eventbrite_events:*:*:*:*:*:*:*:*) integrates Eventbrite event data into WordPress. CWE-862 (Missing Authorization) indicates the plugin fails to implement proper permission checks on sensitive operations, likely in its REST API endpoints or admin AJAX handlers. WordPress plugins commonly expose such endpoints via wp-admin/admin-ajax.php or REST /wp-json/ routes without verifying user capabilities (e.g., missing is_user_logged_in() or current_user_can() checks). The vulnerability suggests that access control security levels are not properly enforced when processing requests, allowing actions that should require specific roles or permissions to execute without restriction.
RemediationAI
Update the Display Eventbrite Events plugin to version 6.5.7 or later when available from the WordPress plugin repository. Administrators should navigate to WordPress admin dashboard → Plugins, locate 'Display Eventbrite Events,' and click 'Update.' Until a patched version is released, restrict access to WordPress admin and REST API endpoints via authentication requirements (ensure WordPress login is enforced), consider disabling the plugin if not actively used, and review recent admin logs for unauthorized changes to Eventbrite event displays. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability for detailed remediation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20189
GHSA-42vq-c86x-66jp