EUVD-2025-209001
GHSA-678w-hwfh-39xv
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.
AnalysisAI
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
Technical ContextAI
EventPrime (cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:*:*:*) is a WordPress plugin providing event calendar management functionality. The root cause is classified under CWE-862 (Missing Authorization), indicating that the application fails to enforce proper access control checks before allowing users to perform sensitive operations. This typically manifests as insufficient server-side validation of user permissions, where client-side restrictions or role-based access control (RBAC) logic is either absent, misconfigured, or bypassable. WordPress plugins are particularly susceptible to authorization flaws when they directly expose admin or privileged functionality without verifying the current user's capabilities via WordPress' native permission model (e.g., wp_current_user_can() checks). The incorrect configuration of security levels suggests the vulnerability may stem from default-permissive settings or logical errors in capability checks across multiple plugin endpoints.
RemediationAI
Immediately upgrade EventPrime to a version released after 4.2.6.0 (patch version to be confirmed from vendor) by navigating to WordPress Plugins > Installed Plugins, selecting EventPrime, and clicking 'Update Now', or download the patched version directly from the plugin repository or vendor website. Verify the update in the Plugins menu to confirm the new version is active. Until a patch is applied, implement WordPress-level access controls by restricting plugin administrative pages to specific user roles via security plugins (e.g., Wordfence, Sucuri), disable the plugin if not actively in use, and audit event calendar endpoints for unexpected access. Monitor Patchstack and the official EventPrime changelog (https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management) for patch release notifications and apply updates within 24-48 hours of availability.
More from same product – last 7 days
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authen
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated u
Share
External POC / Exploit Code
Leaving vuln.today