The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress suffers from a sensitive information exposure vulnerability identified as CVE-2025-14507. This vulnerability exists in all versions up to and including 4.2.7.0 and is exploitable via the plugin's REST API when it is enabled by an administrator. The flaw allows unauthenticated remote attackers to retrieve sensitive booking-related data such as user names, email addresses, ticket details, payment information, and order keys. This exposure stems from insufficient access control on REST API endpoints, which fail to properly restrict data access to authorized users only. The vulnerability is categorized under CWE-200, indicating that sensitive information is disclosed to unauthorized actors. Although version 4.2.7.0 partially addresses the issue, complete mitigation requires updating to the latest secure version once available. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity due to its ease of exploitation without authentication but limited impact on integrity and availability. No active exploits have been reported, but the sensitive nature of the data exposed poses privacy and potential fraud risks. The plugin is widely used in WordPress environments for event management, making this a relevant threat for organizations relying on it for booking and ticketing services.

The primary impact of CVE-2025-14507 is the unauthorized disclosure of sensitive personal and transactional data, which can lead to privacy violations, identity theft, and targeted phishing or social engineering attacks. Exposure of payment information and order keys could facilitate fraudulent transactions or unauthorized access to user accounts. Organizations using the vulnerable plugin risk reputational damage, regulatory penalties related to data protection laws (such as GDPR), and loss of customer trust. Since the vulnerability requires no authentication and can be exploited remotely, attackers can easily harvest data at scale if the REST API is enabled. However, the vulnerability does not allow modification or deletion of data, limiting impact on data integrity and availability. Nonetheless, the confidentiality breach alone is significant for businesses handling sensitive booking and payment information worldwide.

To mitigate this vulnerability, organizations should immediately update the EventPrime plugin to the latest version that fully patches CVE-2025-14507 once it is released. Until then, administrators should disable the REST API functionality within the plugin if it is not essential for operations. Restricting REST API access using authentication mechanisms or IP whitelisting can reduce exposure. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious REST API requests targeting EventPrime endpoints is recommended. Regularly audit plugin configurations and access logs to detect unusual data access patterns. Additionally, organizations should review and minimize the amount of sensitive data stored or exposed via the plugin and ensure compliance with data protection policies. Monitoring vendor advisories and applying security patches promptly is critical to maintaining a secure environment.