Privilege Escalation Vulnerability in Event List Plugin for WordPress
CVE-2025-6366

8.8HIGH

Key Information:

Vendor: WordPress
Status: Event List
Vendor: CVE Published:; 26 August 2025

What is CVE-2025-6366?

The Event List plugin for WordPress has a vulnerability that enables authenticated attackers, including those with Subscriber-level access, to escalate their privileges. This is possible because the plugin does not adequately verify user capabilities before modifying a user's profile through the el_update_profile() function. As a result, attackers can gain administrator-level permissions, which poses a significant security risk to affected WordPress sites.

Affected Version(s)

Event List * <= 2.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/meup-marketplace-events-word...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 26, 2025
Vulnerability Reserved
Jun 19, 2025

Credit

Tonn