CVE-2025-14507 identifies a vulnerability in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress, which is widely used to manage event bookings and ticket sales. The flaw exists in all versions up to and including 4.2.7.0 and stems from insufficient access controls on the plugin's REST API endpoints. When the REST API is enabled by an administrator, unauthenticated attackers can query these endpoints to retrieve sensitive booking data such as user names, email addresses, ticket details, payment information, and order keys. This exposure is classified under CWE-200, indicating that sensitive information is accessible to unauthorized actors. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely over the network. Although version 4.2.7.0 includes a partial fix, the absence of a complete patch and lack of default API restrictions mean that many installations remain vulnerable. The CVSS 3.1 base score of 5.3 reflects a medium severity, primarily due to the confidentiality impact without affecting integrity or availability. No known exploits have been reported in the wild, but the potential for data leakage is significant given the nature of the exposed information. The vulnerability highlights the risks of enabling REST API features without strict access controls in WordPress plugins handling sensitive data.

For European organizations, the exposure of sensitive booking and payment data can lead to privacy violations under GDPR, resulting in regulatory fines and reputational damage. Compromised personal information such as names and email addresses can facilitate phishing campaigns, identity theft, and social engineering attacks. Exposure of payment details and order keys increases the risk of financial fraud and unauthorized transactions. Organizations relying on EventPrime for event management may face customer trust erosion and potential legal liabilities. The vulnerability also raises concerns for sectors with high event volumes, such as entertainment, conferences, and cultural institutions, which are prevalent across Europe. Data breaches could disrupt business operations and lead to costly incident response efforts. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, affecting any publicly accessible WordPress site using the vulnerable plugin with enabled REST API. This makes European organizations using this plugin particularly vulnerable if they have not applied patches or restricted API access.

European organizations should immediately update the EventPrime plugin to the latest version beyond 4.2.7.0 once a complete patch is released. Until then, administrators should disable the REST API functionality for EventPrime if it is not strictly necessary. Implement strict access controls and authentication mechanisms on REST API endpoints to prevent unauthenticated access. Conduct regular audits of WordPress plugins and their configurations to identify and remediate insecure settings. Employ web application firewalls (WAFs) to monitor and block suspicious API requests targeting EventPrime endpoints. Monitor logs for unusual access patterns indicative of exploitation attempts. Educate site administrators about the risks of enabling APIs without proper security measures. Additionally, review and limit the amount of sensitive data stored or exposed via plugins to minimize potential leakage. Prepare incident response plans to address potential data breaches involving personal and payment information. Finally, maintain up-to-date backups and ensure secure storage of sensitive customer data in compliance with GDPR.