WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 4.2.0.1 - Missing Authorization to Authenticated (Subscriber+) Booking Note Creation

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 4.2.0.1

References

CVE
CVE-2025-12498
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d32f7e98-8203-400e-bc26-4556ddba2510

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Brian Mungai
Verified
No
WPVDB ID
b34fe51e-bfcd-4d8f-8722-2a6884b0548d

Timeline

Publicly Published
2025-11-07 (about 6 months ago)
Added
2025-11-07 (about 6 months ago)
Last Updated
2025-11-08 (about 6 months ago)

Other

Published
Title
Published
2021-11-10
Title
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS
Published
2026-01-24
Title
WP Go Maps (formerly WP Google Maps) < 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification
Published
2026-04-16
Title
HAPPY – Helpdesk Support Ticket System < 1.0.11 - Missing Authorization
Published
2025-08-20
Title
LifePress < 2.2 - Missing Authorization
Published
2024-06-28
Title
Featured Image from URL < 4.8.2 - Missing Authorization