Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-8091 PoC — EventON Lite <= 2.4.7 - Authenticated (Contributor+) Information Disclosure

Source
https://github.com/MooseLoveti/EventON-Lite-CVE-Report
Associated Vulnerability
Title:EventON Lite <= 2.4.7 - Authenticated (Contributor+) Information Disclosure (CVE-2025-8091)
Description:The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Description
Disclosure for CVE-2025-8091
Readme
# EventON-Lite-CVE-Report
Disclosure for CVE-2025-8091

# CVE-2025-8091 - Vulnerability in EventON Lite

This repository discloses a vulnerability discovered in [EventON Lite <= 2.4.6](https://google.com),WordPress plugin developed by Ashan Perera.

## 🛠 Affected Version

- **Product**: EventON Lite
- **Version**: v2.4.6
- **URL**: https://wordpress.org/plugins/eventon-lite/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-8091    | Exposure of Sensitive Information to an Unauthorized Actor                | class-calendar-generator.php             | Authenticated (Contributor+) Information Disclosure      |  

---

## 🧾 Detailed a Description

### CVE-2025-8091 — Authenticated (Contributor+) Information Disclosure

 - **Affected Component**: get_single_event_data()
 - **Attack Vector**: Specify any event ID, including private or draft posts
 - **Trigger**: An authenticated user passes the target event ID to the API/endpoint
 - **Impact**: Disclosure of sensitive details from unpublished events created by an administrator, including title, full description, custom fields, location, and organizer information
 - **PoC**:
  1. Login as a Contributor in some way.
  2. Guess the sequential event ID and view private information using the following short code.`[add_single_eventon id="xxxx"]`
  3. Running the preview causes information leakage.

## ❓Reason for the vulnerability
 The post_type parameter is not properly validated, allowing retrieval of unintended post types including private or draft events.
 ### Proposed Fix:
 - Explicitly whitelist the allowed `post_type` before executing the query.
 - Apply proper capability checks such as `current_user_can('read_private_ajde_events')` for private content.
 - Limit `post_status` to publish for users without the necessary privileges.
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  
**PGP**: Provided to MITRE during CVE request

---

## 📚 References

- Product: https://wordpress.org/plugins/eventon-lite/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →