Unauthorized Access Vulnerability in Ovatheme Events Manager for WordPress
CVE-2025-7663

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Ovatheme Events Manager
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-7663?

The Ovatheme Events Manager plugin for WordPress contains a critical flaw that allows unauthorized access due to the absence of capability checks on several functions within the /class-ovaem-ajax.php file. This vulnerability affects all versions up to and including 1.8.6, enabling unauthenticated attackers to engage in malicious actions such as deleting ticket files and downloading tickets without permission.

Affected Version(s)

Ovatheme Events Manager * <= 1.8.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/em4u-event-management-multip...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Jul 14, 2025

Credit

Friderika Baranyai

JSON