CVE-2025-14507 – The EventPrime WordPress plugin exposes sensiti... (How to Fix)

Q: What is the severity of CVE-2025-14507?

CVE-2025-14507 has a CVSS score of 5.3 (MEDIUM). The EventPrime WordPress plugin exposes sensitive booking data through its REST API to unauthenticated attackers when the API is enabled. This vulnerability allows extraction of user names, email addresses, ticket details, payment information, and order keys. All WordPress sites using EventPrime versions up to 4.2.7.0 with the REST API enabled are affected.

📋 TL;DR

The EventPrime WordPress plugin exposes sensitive booking data through its REST API to unauthenticated attackers when the API is enabled. This vulnerability allows extraction of user names, email addresses, ticket details, payment information, and order keys. All WordPress sites using EventPrime versions up to 4.2.7.0 with the REST API enabled are affected.

💻 Affected Systems

Products:

EventPrime - Events Calendar, Bookings and Tickets for WordPress

Versions: All versions up to and including 4.2.7.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Vulnerability only exists when the EventPrime REST API is enabled by an administrator. The API is disabled by default.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach exposing PII, payment details, and booking information leading to identity theft, financial fraud, and regulatory penalties.

🟠

Likely Case

Unauthenticated attackers harvesting user email addresses and booking details for spam, phishing campaigns, or targeted attacks.

🟢

If Mitigated

Limited exposure if API is disabled or proper access controls are implemented, though some data may still be accessible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to REST API endpoints. No authentication needed when API is enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.7.0 (partial fix), check for newer versions

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3432454/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find EventPrime plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable EventPrime REST API

all

Completely disable the vulnerable REST API endpoint to prevent exploitation

Navigate to EventPrime settings in WordPress admin and disable REST API functionality

Restrict API Access

linux

Use web application firewall or .htaccess to block unauthenticated access to /wp-json/eventprime/ endpoints

Add to .htaccess: RewriteCond %{REQUEST_URI} ^/wp-json/eventprime/ [NC]
RewriteCond %{HTTP:Authorization} !^Basic [NC]
RewriteRule .* - [F,L]

🧯 If You Can't Patch

Immediately disable the EventPrime REST API in plugin settings
Implement network-level restrictions to block external access to /wp-json/eventprime/ endpoints

🔍 How to Verify

Check if Vulnerable:

Check if EventPrime REST API is enabled and accessible via: curl -X GET https://yoursite.com/wp-json/eventprime/v1/bookings (if returns booking data without authentication, vulnerable)

Check Version:

Check WordPress admin plugins page or use: wp plugin get eventprime-event-calendar-management --field=version

Verify Fix Applied:

After update, test same endpoint requires authentication or returns proper access denied

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /wp-json/eventprime/v1/* endpoints from unauthenticated users
Unusual volume of requests to booking/order API endpoints

Network Indicators:

Unusual traffic patterns to REST API endpoints
Data exfiltration patterns from booking endpoints

SIEM Query:

source="web_logs" AND uri_path="/wp-json/eventprime/*" AND http_method="GET" AND user_agent NOT CONTAINS "wp-admin"

📊 Metadata

CVE ID: CVE-2025-14507

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (13.1th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14507, you might also want to check these: