CVE-2025-14657
Published: 09 January 2026
Summary
CVE-2025-14657 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing capability check and input sanitization in public-facing WordPress plugin directly enables remote exploitation of the application to achieve unauthorized modification and stored XSS.
NVD Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This…
more
makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Deeper analysisAI
CVE-2025-14657 is a vulnerability in the Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress, affecting all versions up to and including 4.0.51. It arises from a missing capability check on the 'post_settings' function, enabling unauthorized modification of plugin data. Compounding this issue, insufficient input sanitization and output escaping on the 'etn_primary_color' setting allows attackers to inject arbitrary web scripts, resulting in stored cross-site scripting (XSS), as classified under CWE-862.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges, achieving partial confidentiality and integrity impacts in a changed scope, per its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By calling the vulnerable function, they can alter plugin settings and inject malicious scripts into the 'etn_primary_color' parameter, which execute in users' browsers whenever a page loads Eventin styles.
Patches addressing this issue appear in WordPress plugin trac changeset 3429942, with modifications to files including base/Enqueue/register.php, base/api-handler.php, and core/event/api.php. Additional details on the vulnerability and remediation are provided in the Wordfence threat intelligence report.
Details
- CWE(s)