CVE-2025-14507
Sensitive Data Exposure in EventPrime Plugin via REST API
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metagauss | eventprime_event_calendar_management | 4.2.7.0 |
| metagauss | eventprime_event_calendar_management | 4.2.8.0 |
| metagauss | eventprime_event_calendar_management | to 4.2.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the EventPrime - Events Calendar, Bookings and Tickets WordPress plugin allows unauthenticated attackers to access sensitive booking information through the REST API. This includes user names, email addresses, ticket details, payment information, and order keys. The issue affects all versions up to and including 4.2.7.0, and it occurs when the REST API is enabled by an administrator. The vulnerability was partially fixed in version 4.2.7.0. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive personal and payment information of users who have booked events using the plugin. Attackers can extract user names, email addresses, ticket details, payment information, and order keys without authentication, potentially leading to privacy violations, fraud, or identity theft. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The exposure of sensitive personal and payment data through this vulnerability can result in non-compliance with data protection regulations such as GDPR and HIPAA. Unauthorized access to personal information may violate privacy requirements, leading to potential legal and financial consequences for organizations using the affected plugin. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the EventPrime plugin version is up to and including 4.2.7.0 and if the REST API is enabled. Since the vulnerability allows unauthenticated access to sensitive booking data via the REST API, monitoring REST API requests to EventPrime endpoints for unusual or unauthorized access patterns can help detect exploitation attempts. Specific commands could include using curl or similar tools to query the REST API endpoints to see if sensitive data is exposed without authentication. For example, you might run: curl -X GET https://yourwordpresssite.com/wp-json/eventprime/v1/bookings to check if booking data is accessible without credentials. Additionally, reviewing web server logs for unauthenticated REST API calls to EventPrime endpoints can help detect attempts. However, no explicit detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the EventPrime plugin to version 4.2.7.0 or later, as this version includes partial patches addressing CVE-2025-14507. Ideally, update to the latest version available (e.g., 4.2.8.0) which includes further improvements and security fixes. Additionally, if possible, disable or restrict access to the EventPrime REST API endpoints until the update is applied. Monitoring and limiting unauthenticated access to the REST API can reduce exposure. Applying the official plugin update from the WordPress repository is the recommended mitigation. [1, 2]