CVE-2025-14657 HIGH

CVE-2025-14657: Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'

Vendor Arraytics
Product Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Weakness CWE-862 · Missing authorization
Published January 9, 2026
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

Explanation of Vulnerability in Simple Terms

02Summary

Eventin versions up to 4.0.51 lack proper authorization checks, allowing unauthenticated attackers to read and modify sensitive data across the site. The vulnerability affects event information, registrations, and booking details. No user interaction is required. Update to a version newer than 4.0.51.

What an attacker can do

03Attacker Capabilities

Read and modify event data, registrations, and booking information without authentication.

Potential impact on your site

04Site Impact

Attackers can view and alter event details, registrations, and tickets without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 9, 2026 CVE published
April 8, 2026 Record updated