CVE-2025-14657
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-14657, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-07-06
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor wp_event_solution to 4.0.51 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Eventin – Event Manager, Events Calendar, Event Tickets and Registrations WordPress plugin (also known as WP Event Solution). It occurs because the plugin lacks proper capability checks on the 'post_settings' function, allowing unauthenticated attackers to modify plugin settings. Additionally, insufficient input sanitization and output escaping on the 'etn_primary_color' setting enable attackers to inject arbitrary web scripts (Cross-Site Scripting or XSS) that execute when users load pages with Eventin styles. The vulnerability allows unauthorized modification of data and potential execution of malicious scripts. [1, 4]

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to change plugin settings without permission, potentially disrupting your website's functionality or appearance. More critically, attackers can inject malicious scripts via the color settings, which execute in the browsers of users visiting pages where the plugin's styles are loaded. This can lead to theft of user data, session hijacking, or other malicious activities performed through Cross-Site Scripting (XSS) attacks. [1, 4]

Detection Guidance

To detect this vulnerability, monitor for unauthorized or unauthenticated REST API requests attempting to modify plugin settings, especially those targeting the 'post_settings' function or the settings endpoint of the WP Event Solution plugin. Look for requests missing the required 'X-WP-Nonce' header or requests that modify color settings such as 'etn_primary_color' or 'etn_secondary_color'. You can use network monitoring tools or web server logs to identify suspicious POST requests to the plugin's API endpoints. Example commands include using curl to test API access without nonce: curl -X POST https://yourwordpresssite.com/wp-json/wp-event-solution/v1/settings -d '{"etn_primary_color":"#000000"}' -H "Content-Type: application/json" and checking if the request is accepted. Also, use grep or similar tools on server logs to find unauthorized access attempts. Additionally, scanning for plugin versions up to 4.0.51 can help identify vulnerable installations. [2, 4]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the WP Event Solution plugin to a version later than 4.0.51 where the vulnerability is patched. 2. Ensure that REST API requests modifying plugin settings require a valid 'X-WP-Nonce' header and that user capabilities such as 'manage_options' are properly enforced. 3. Apply or verify that input sanitization functions like 'sanitize_hex_color()' are used for color settings to prevent XSS attacks. 4. Restrict access to the plugin's REST API endpoints to authenticated and authorized users only. 5. Monitor logs for suspicious API requests and block unauthorized attempts. These steps will prevent unauthorized modification of plugin settings and mitigate XSS risks. [1, 2, 4]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart