CVE-2025-8091: 
WordPress vulnerability analysis and mitigation

The EventON Lite plugin for WordPress contains an Information Exposure vulnerability (CVE-2025-8091) affecting all versions up to and including 2.4.6. The vulnerability was discovered on August 14, 2025 and publicly disclosed on August 15, 2025. The issue affects the addsingleeventon and add_eventon shortcodes functionality in the plugin (NVD).

The vulnerability stems from insufficient restrictions on which posts can be included via the addsingleeventon and add_eventon shortcodes. This implementation flaw allows unauthenticated attackers to access data from password protected, private, or draft posts that should be restricted. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue has been classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (NVD).

The vulnerability allows unauthorized users to extract sensitive data from password protected, private, or draft posts that they should not have access to. This could lead to the exposure of confidential information that was intended to be restricted (NVD).

The plugin has been temporarily closed as of August 14, 2025, pending a full security review. Users are advised to disable the plugin until a patched version is released (WordPress Plugin).

The plugin closure has generated significant concern in the WordPress community. User reviews indicate frustration with the plugin's security issues, with some users reporting that their sites were compromised due to delayed security patches (WordPress Plugin).