CVE-2025-8091 is a medium severity information exposure vulnerability affecting the EventON Lite plugin for WordPress, specifically versions up to and including 2.4.6. The vulnerability arises from insufficient access control on the add_single_eventon and add_eventon shortcodes, which are used to embed event data within WordPress posts. Due to improper restrictions, unauthenticated attackers can exploit these shortcodes to retrieve content from posts that are intended to be private, password protected, or in draft status. This means that sensitive event information or other data stored within these posts can be accessed without any authentication or user interaction. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality (C:L), with no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to gather sensitive organizational data, event details, or internal communications that were meant to be restricted, potentially aiding further reconnaissance or social engineering attacks.

For European organizations using WordPress with the EventON Lite plugin, this vulnerability poses a risk of unauthorized disclosure of sensitive event-related information. This could include internal meeting details, confidential event plans, or other private content that organizations rely on EventON to manage. Exposure of such information could lead to reputational damage, loss of competitive advantage, or facilitation of targeted phishing and social engineering attacks. Since the vulnerability allows unauthenticated access, it lowers the barrier for attackers to gather intelligence without needing credentials. Although the impact on confidentiality is rated low, the sensitivity of the exposed data varies by organization and event context. For public sector entities, financial institutions, or companies managing sensitive events, the risk is more pronounced. The vulnerability does not affect data integrity or availability, so direct disruption is unlikely. However, the information leakage could be leveraged in multi-stage attacks. Given the widespread use of WordPress across Europe and the popularity of EventON for event management, many organizations could be indirectly affected if they have not updated or mitigated this vulnerability.

European organizations should immediately audit their WordPress installations to identify the presence and version of the EventON Lite plugin. If version 2.4.6 or earlier is in use, they should prioritize upgrading to a patched version once available. In the absence of an official patch, organizations can implement temporary mitigations such as disabling the add_single_eventon and add_eventon shortcodes or restricting their usage to authenticated users only via custom code or plugin settings. Additionally, organizations should review and restrict access permissions on sensitive posts, ensuring that private or draft content is not inadvertently exposed through shortcode rendering. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting these shortcodes. Monitoring web server logs for unusual access patterns related to these shortcodes can help detect exploitation attempts. Finally, organizations should educate content managers about the risks of embedding sensitive information in posts accessible via shortcodes and consider alternative secure event management solutions if immediate patching is not feasible.