CVE-2025-14657
Published: 09 January 2026
Summary
CVE-2025-14657 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14657 is a vulnerability in the Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress, affecting all versions up to and including 4.0.51. It arises from a missing capability check on the 'post_settings' function, enabling unauthorized modification of plugin data. Compounding this issue, insufficient input sanitization and output escaping on the 'etn_primary_color' setting allows attackers to inject arbitrary web scripts, resulting in stored cross-site scripting (XSS), as classified under CWE-862.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges, achieving partial confidentiality and integrity impacts in a changed scope, per its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By calling the vulnerable function, they can alter plugin settings and inject malicious scripts into the 'etn_primary_color' parameter, which execute in users' browsers whenever a page loads Eventin styles.
Patches addressing this issue appear in WordPress plugin trac changeset 3429942, with modifications to files including base/Enqueue/register.php, base/api-handler.php, and core/event/api.php. Additional details on the vulnerability and remediation are provided in the Wordfence threat intelligence report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1775
Vulnerability details
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This…
more
makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing capability check and input sanitization in public-facing WordPress plugin directly enables remote exploitation of the application to achieve unauthorized modification and stored XSS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on functions such as post_settings, blocking unauthenticated modification of plugin settings.
Requires validation and sanitization of the etn_primary_color input to prevent injection of arbitrary scripts.
Mandates output filtering/escaping on settings such as etn_primary_color before styles are rendered, mitigating stored XSS execution.