CVE-2025-6366

HIGH 8.8

Event List <= 2.0.4 - Authenticated (Subscriber+) Privilege Escalation

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator.

CWE	CWE-269
Vendor	ovatheme.com
Product	event list
Published	Aug 26, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for ovatheme.com event list

Be the first to know when new high vulnerabilities affecting ovatheme.com event list are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

ovatheme.com / Event List

0 ≤ 2.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5998520b-62fd-4b3d-9b78-6363b72b406d?source=cve themeforest.net: https://themeforest.net/item/meup-marketplace-events-wordpress-theme/24770641

Credits

Tonn