Skip to main content

Event Koi Lite Events Calendar Event Management Rsvp And Tickets

1 CVEs product

Monthly

CVE-2026-10029 MEDIUM This Month

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.

Authentication Bypass Google WordPress Information Disclosure Event Koi Lite Events Calendar Event Management Rsvp And Tickets
NVD
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.

Authentication Bypass Google WordPress +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy