EventON Lite < 2.4.8 – Authenticated (Contributor+) Information Disclosure | CVE 2025-8091 | Plugin Vulnerabilities

Description

The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

Affects Plugins

Fixed in 2.4.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/421fcee2-a05d-4486-837e-ddee3d73d737

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Moose Love

Verified

No

WPVDB ID

49560f2b-9404-40c5-b876-3f896541dddb

Timeline

Publicly Published

2025-08-14 (about 10 months ago)

Added

2025-08-14 (about 10 months ago)

Last Updated

2025-11-05 (about 7 months ago)

Other

Published

Title

Published

2026-01-05

Title

Cookies and Content Security Policy < 2.35 - Unauthenticated Information Exposure

Published

2024-12-05

Title

WP Private Content Plus < 3.6.2 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2025-02-13

Title

Return Refund and Exchange For WooCommerce < 4.4.6 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Published

2026-03-25

Title

Instantio < 3.3.31 - Unauthenticated Information Exposure

Published

2025-01-16

Title

WPDB to Sql <= 1.2 - Unauthenticated Sensitive Information Exposure