CVE-2025-8091 is an information exposure vulnerability identified in the EventON Lite plugin for WordPress, specifically affecting all versions up to and including 2.4.6. The flaw arises from insufficient access control on the add_single_eventon and add_eventon shortcodes, which are used to embed event data within WordPress posts. Due to improper restrictions, unauthenticated attackers can exploit these shortcodes to retrieve content from posts that are intended to be private, password-protected, or in draft status. This exposure violates the confidentiality of sensitive information stored within these posts. The vulnerability does not impact the integrity or availability of the system, nor does it require authentication or user interaction, making it remotely exploitable over the network. Although no public exploits have been reported, the risk remains significant for sites relying on EventON Lite for event management. The CVSS v3.1 base score is 4.3, indicating a medium severity level primarily due to the confidentiality impact and ease of exploitation. The vulnerability was reserved in July 2025 and published in August 2025, with no patches currently linked, emphasizing the need for immediate mitigation by site administrators.

The primary impact of CVE-2025-8091 is unauthorized disclosure of sensitive information contained within WordPress posts that are meant to be restricted, such as private events or drafts. This can lead to leakage of confidential business information, event details, or personal data, potentially resulting in reputational damage, privacy violations, or competitive disadvantage. Since the vulnerability does not affect data integrity or system availability, it does not enable attackers to modify content or disrupt services. However, the ease of exploitation without authentication increases the risk of widespread data exposure, especially on high-traffic or publicly accessible WordPress sites using the EventON Lite plugin. Organizations that rely on EventON for managing sensitive event information or internal communications are particularly vulnerable. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability’s presence in a popular WordPress plugin means attackers could develop exploits rapidly if not addressed.

To mitigate CVE-2025-8091, organizations should immediately update the EventON Lite plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should implement strict access controls on WordPress posts containing event data, ensuring that shortcodes cannot be used to expose restricted content. This can include disabling the add_single_eventon and add_eventon shortcodes on sensitive posts or using custom code to enforce permission checks before rendering shortcode content. Additionally, monitoring web server logs for unusual shortcode usage patterns can help detect exploitation attempts. Employing a Web Application Firewall (WAF) with rules to block unauthorized shortcode requests may provide temporary protection. Regularly auditing WordPress plugins for updates and vulnerabilities, and limiting plugin usage to trusted sources, will reduce future risk. Finally, educating content creators on the risks of storing sensitive information in posts accessible via shortcodes can help minimize exposure.