Unauthorized Data Modification in Eventin Plugin for WordPress
CVE-2025-14657

7.2HIGH

Key Information:

Vendor

WordPress
Status
Eventin – Event Manager, Event Booking, Calendar, Tickets And Registration Plugin (ai Powered)
Vendor
CVE Published:
9 January 2026

What is CVE-2025-14657?

The Eventin plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check within the 'post_settings' function. This vulnerability affects all versions up to and including 4.0.51. Attackers who are unauthenticated can exploit this flaw to alter plugin settings freely. Additionally, insufficient input sanitization and output escaping for the 'etn_primary_color' setting permit these attackers to inject malicious web scripts, which will execute whenever a user visits a page utilizing Eventin styles.

Affected Version(s)

Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) * <= 4.0.51

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3429942/wp-e...
https://plugins.trac.wordpress.org/changeset/3429942/wp-e...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sarawut Poolkhet
JSON
.
CVE-2025-14657 : Unauthorized Data Modification in Eventin Plugin for WordPress