Primary

Context

WordPress Community Events Plugin Missing Authorization Vulnerability in Event Approval Function

Vulnerability

A vulnerability exists in the Community Events plugin for WordPress, allowing unauthorized data modification. This issue arises from a lack of capability checks in the 'ajax_admin_event_approval' function, present in all versions up to and including 1.5.6. As a result, unauthenticated attackers can approve arbitrary events by manipulating the 'eventlist' parameter.

Impact

Exploitation of this vulnerability allows for unauthorized approval of events, potentially leading to misuse of event management features.

Reproduction

To reproduce this vulnerability, send a request to the 'ajax_admin_event_approval' endpoint without proper authorization. Include the 'eventlist' parameter with the IDs of the events to be approved. The absence of a capability check allows this action to be performed by unauthenticated users.

Remediation

Update the Community Events plugin to version 1.5.7 or a newer patched version.

Added: Jan 17, 2026, 5:21 AM

Updated: Jan 17, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.4

remediation

0.0

relevance

2.0

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.4

remediation

0.0

relevance

2.0

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Community Events Plugin Missing Authorization Vulnerability in Event Approval Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating