What the vulnerability does
01Description
The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Explanation of Vulnerability in Simple Terms
02Summary
EventON – Events Calendar versions 2.4.7 and earlier expose sensitive information to authenticated users. A logged-in user with low privileges can access data they should not be able to view. The exposure is limited to information disclosure with no ability to modify or disable site functionality.
What an attacker can do
03Attacker Capabilities
Read sensitive information they should not have access to.
Potential impact on your site
04Site Impact
Authenticated users can view private event data or other restricted information depending on plugin configuration.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the site with a low-privilege account.
Key dates
06Disclosure timeline
August 15, 2025
CVE published
April 8, 2026
Record updated