Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Plugin endpoint is reachable over the network without authentication or user interaction, and the described broken access control leaks protected data (C:H) without explicit integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
AnalysisAI
Broken access control in the Arraytics WP Event Solution WordPress plugin through version 4.1.12 allows remote unauthenticated attackers to access protected functionality or data without authorization. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, exposing sensitive event-management capabilities or data to anyone who can reach the WordPress site. No public exploit identified at time of analysis, and the issue is not currently listed in the CISA KEV catalog.
Technical ContextAI
WP Event Solution (vendor: Arraytics, CPE cpe:2.3:a:arraytics:wp_event_solution) is a WordPress plugin used to manage events, attendees, and bookings on WordPress sites. The root cause is CWE-862 (Missing Authorization): one or more plugin handlers - typically WordPress REST API routes, AJAX actions, or admin-post endpoints - fail to enforce a capability or nonce check before executing privileged logic. Because WordPress plugins commonly expose endpoints under /wp-json/ or admin-ajax.php that should gate sensitive actions behind current_user_can() or permission_callback checks, omitting that check turns intended-restricted functionality into an open interface reachable by any unauthenticated visitor.
RemediationAI
Upgrade WP Event Solution to a version newer than 4.1.12 as identified in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-wp-event-solution-plugin-4-1-12-broken-access-control-vulnerability); an exact fix version was not provided in the input data, so consult the Patchstack entry or the plugin's WordPress.org changelog for the patched release number. Until upgrading, compensating controls include deactivating the WP Event Solution plugin (which removes event-management functionality from the site), restricting access to the WordPress REST API and admin-ajax.php from untrusted networks via a WAF or web server rules (which may break legitimate front-end integrations), or applying a virtual patch through Patchstack/Wordfence/Sucuri rules that block the specific vulnerable endpoint (which depends on continued WAF subscription). Review WordPress and webserver logs for unexpected requests to plugin REST routes (e.g., /wp-json/wp-event-solution/ or related namespaces) and to admin-ajax.php with plugin-specific action parameters to detect prior abuse.
More in Wp Event Solution
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210166
GHSA-642g-j4h8-6jrc