Cyber Resilience

CVE-2025-14657

High

Published: 09 January 2026

Published
09 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0003 10.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14657 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-14657 is a vulnerability in the Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress, affecting all versions up to and including 4.0.51. It arises from a missing capability check on the 'post_settings' function, enabling unauthorized modification of plugin data. Compounding this issue, insufficient input sanitization and output escaping on the 'etn_primary_color' setting allows attackers to inject arbitrary web scripts, resulting in stored cross-site scripting (XSS), as classified under CWE-862.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges, achieving partial confidentiality and integrity impacts in a changed scope, per its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). By calling the vulnerable function, they can alter plugin settings and inject malicious scripts into the 'etn_primary_color' parameter, which execute in users' browsers whenever a page loads Eventin styles.

Patches addressing this issue appear in WordPress plugin trac changeset 3429942, with modifications to files including base/Enqueue/register.php, base/api-handler.php, and core/event/api.php. Additional details on the vulnerability and remediation are provided in the Wordfence threat intelligence report.

EU & UK References

Vulnerability details

The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This…

more

makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing capability check and input sanitization in public-facing WordPress plugin directly enables remote exploitation of the application to achieve unauthorized modification and stored XSS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on functions such as post_settings, blocking unauthenticated modification of plugin settings.

prevent

Requires validation and sanitization of the etn_primary_color input to prevent injection of arbitrary scripts.

prevent

Mandates output filtering/escaping on settings such as etn_primary_color before styles are rendered, mitigating stored XSS execution.

References