CVE-2025-12498
📋 TL;DR
The EventPrime WordPress plugin allows authenticated users with Subscriber-level access or higher to add notes to any booking in the backend without proper authorization. This vulnerability affects all WordPress sites using EventPrime plugin versions up to 4.2.0.0.
💻 Affected Systems
- EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could add malicious notes to bookings, potentially disrupting event management, injecting malicious content, or defacing booking records.
Likely Case
Low-privileged users could tamper with booking notes, causing confusion or minor administrative issues.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized note creation without data modification or system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3389496/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find EventPrime plugin and click 'Update Now'. 4. Verify update to version 4.2.0.1 or later.
🔧 Temporary Workarounds
Temporary capability restriction
allTemporarily restrict Subscriber and Contributor user capabilities to prevent exploitation.
Use WordPress role management plugins or custom code to remove 'read' capability from low-privileged roles for booking management functions.
🧯 If You Can't Patch
- Disable the EventPrime plugin until patched
- Implement strict user access controls and monitor booking note changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for EventPrime version. If version is 4.2.0.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=eventprime-event-calendar-management --field=versionVerify Fix Applied:
After updating, verify EventPrime plugin version shows 4.2.0.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual booking note additions from low-privileged users
- Multiple booking note modifications in short timeframes
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=booking_add_notes from non-admin users
SIEM Query:
source="wordpress_logs" action="booking_add_notes" user_role="subscriber" OR user_role="contributor"