Plateforme
wordpress
Composant
event-list
Corrigé dans
2.0.5
CVE-2025-6366 is a privilege escalation vulnerability affecting the Event List plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their privileges to those of an administrator, gaining unauthorized control over the WordPress site. This vulnerability impacts versions 0.0.0 through 2.0.4, and a patch is available in version 2.0.5.
The impact of CVE-2025-6366 is significant, as it allows an attacker to gain complete administrative control over a WordPress site. This could lead to unauthorized modification of content, installation of malicious plugins or themes, data theft, and even complete site takeover. An attacker could leverage this privilege escalation to compromise sensitive data stored within the WordPress database, including user credentials, customer information, and financial details. The blast radius extends to all users and data accessible by the administrator account.
CVE-2025-6366 was publicly disclosed on 2025-08-26. There are currently no known public proof-of-concept exploits available, but the ease of exploitation suggests a potential for rapid development of such tools. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the relatively simple exploitation method, it is likely to become a target for malicious actors.
Websites using the Event List plugin, particularly those with Subscriber-level users who have access to profile editing functionalities, are at risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. Sites with outdated WordPress installations or those lacking robust security practices are at heightened risk.
• wordpress / composer / npm:
grep -r 'el_update_profile' /var/www/html/wp-content/plugins/event-list/• wordpress / composer / npm:
wp plugin list --status=active | grep 'event-list'• wordpress / composer / npm:
wp plugin update event-list --version=2.0.5Public Disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 19%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-6366 is to immediately upgrade the Event List plugin to version 2.0.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the profile update functionality through custom code or a security plugin. While not a complete solution, this can limit the potential for exploitation. Regularly review user roles and permissions to ensure they are appropriately configured. After upgrading, confirm the fix by attempting to update a Subscriber user's capabilities to Administrator using the WordPress admin interface; the attempt should fail.
Actualice el plugin Event List a la versión 2.0.5 o superior para mitigar la vulnerabilidad de escalada de privilegios. Esta actualización corrige la validación incorrecta de las capacidades del usuario, previniendo que los usuarios con privilegios de suscriptor puedan elevarse a administradores.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-6366 is a vulnerability in the Event List plugin for WordPress allowing authenticated Subscribers to gain Administrator privileges. It's rated HIGH severity (CVSS: 8.8) and affects versions 0.0.0–2.0.4.
You are affected if you are using the Event List plugin in WordPress versions 0.0.0 through 2.0.4. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Event List plugin to version 2.0.5 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict profile update access.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the Event List plugin's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.