Unauthorized Data Modification in EventON Pro Plugin for WordPress
CVE-2025-3527
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 17 May 2025
What is CVE-2025-3527?
The EventON Pro plugin for WordPress suffers from a vulnerability that permits unauthorized data modification due to the absence of a capability check in the 'assets/lib/settings/settings.js' file. This flaw affects all versions up to and including 4.9.6, allowing authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. Such scripts execute whenever a user accesses the compromised page, potentially leading to harmful consequences. A partial patch was introduced in version 4.9.6, but users are urged to adopt the latest version to mitigate risks.
Affected Version(s)
EventON (Pro) - WordPress Virtual Event Calendar Plugin * <= 4.9.6