CVE-2025-48116: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability has been identified in Ashan Perera EventON plugin versions through 2.4.4. The vulnerability was discovered by astra.r3verii and publicly disclosed on May 16, 2025. This security issue affects the WordPress plugin EventON and is tracked as CVE-2025-48116 (Patchstack, Wiz).

The vulnerability is classified as a Missing Authorization issue (CWE-862) where functionality is not properly constrained by Access Control Lists (ACLs). It has been assigned a CVSS v3.1 base score of 5.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and primarily impacts system availability (Patchstack).

The vulnerability affects system availability with no direct impact on confidentiality or integrity. As a broken access control issue, it could potentially allow unprivileged users to execute certain higher privileged actions (Patchstack).

The vulnerability has been fixed in EventON version 2.4.5. Users are advised to update to version 2.4.5 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).