CVE-2025-14507 MEDIUM

CVE-2025-14507: EventPrime - Events Calendar, Bookings and Tickets <= 4.2.7.0 - Unauthenticated Sensitive Information Exposure via REST API

Vendor Metagauss
Product EventPrime – Events Calendar, Bookings and Tickets
Weakness CWE-200 · Info exposure
Published January 13, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

Explanation of Vulnerability in Simple Terms

02Summary

EventPrime versions up to 4.2.7.0 expose sensitive information that an unauthenticated attacker can access over the network without user interaction. The vulnerability stems from improper access controls on data that should be restricted. Site administrators should update to a version newer than 4.2.7.0 to prevent unauthorized information disclosure.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the site without authentication.

Potential impact on your site

04Site Impact

Confidential data may be exposed to anyone on the internet, potentially including event details, booking info, or user data.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 13, 2026 CVE published
April 8, 2026 Record updated