What the vulnerability does
01Description
The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator.
Explanation of Vulnerability in Simple Terms
02Summary
Event List versions 2.0.4 and earlier contain a privilege management flaw that allows authenticated users with low-level access to perform actions restricted to higher-privilege roles. An attacker with a basic user account can read sensitive data, modify site content, or disrupt service without additional interaction. Update to a version newer than 2.0.4 immediately.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disrupt the site using a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized users can access admin functions and modify or delete event data without proper authorization.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
August 26, 2025
CVE published
April 8, 2026
Record updated