CVE-2026-10029
Received Received - Intake
Sensitive Information Exposure in Event Koi Lite WordPress Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-10029
EUVD
EUVD-2026-37841
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_event_koi_lite events_calendar_event_management_rsvp_and_tickets to 1.3.13.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Event Koi Lite plugin for WordPress, which manages events, RSVPs, and tickets, has a vulnerability in all versions up to 1.3.13.1. This vulnerability allows unauthenticated attackers to access sensitive information through the get_events function.

Specifically, attackers can extract sensitive data such as virtual meeting URLs, physical location details, latitude and longitude coordinates, Google Maps links, and RSVP settings for events that are draft, pending, or privateβ€”events that should not be publicly accessible.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive event information. Attackers can obtain private details about events that are not meant to be public, including virtual meeting links and precise location data.

Such exposure can compromise privacy and security for event organizers and participants, potentially leading to unwanted access to virtual meetings or physical event locations.

Compliance Impact

The vulnerability allows unauthenticated attackers to extract sensitive information such as virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration from draft, pending, and private events that should not be publicly accessible.

Exposure of such sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

However, the provided information does not explicitly state the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart