CVE-2025-39482: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-39482) was discovered in imithemes Eventer WordPress plugin affecting versions through 3.9.6. The vulnerability allows exploiting incorrectly configured access control security levels. The issue was publicly disclosed on May 16, 2025, and was initially reported by researcher Anhchangmutrang on January 13, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates a Network-based attack vector with Low attack complexity, requiring Low privileges and No user interaction. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, Wiz).

The vulnerability is classified as a Broken Access Control issue, which refers to a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions. The impact primarily affects confidentiality with a Low rating, while there are no direct impacts on integrity or availability (Wiz, Patchstack).

No official fix is currently available for this vulnerability. Security experts recommend removing and replacing the software as it appears to be abandoned and is unlikely to receive further updates or fixes. Note that merely deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).