CVE-2025-3527
EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site ScriptingThe EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6.
We have discovered 13,666 live websites that are affected by CVE-2025-3527.
Affected Software
| Product | |
| Category | Appointment Scheduling |
| Vulnerable Domains | 13,666 live websites (90.54% of Eventon Premium install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 146 versions ( 97.33% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - May 17, 2025
- Updated - May 19, 2025
Credits
- anhchangmutrang (finder)
CWE
CVE References
CWE References
CVE-2025-3527 usage by Country
 United States | 5,360 websites |
 Germany | 2,030 websites |
 France | 1,001 websites |
 GB | 500 websites |
 Netherlands | 490 websites |
 Spain | 481 websites |
 Italy | 455 websites |
 Switzerland | 376 websites |
 Denmark | 222 websites |
 Canada | 204 websites |
CVE-2025-3527 usage by TLD
| .com | 4,570 websites |
| .org | 1,782 websites |
| .de | 1,245 websites |
| .nl | 527 websites |
| .fr | 403 websites |
| .it | 366 websites |
| .ch | 316 websites |
| .co.uk | 305 websites |
| .es | 285 websites |
| .net | 249 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3527
Top websites that are affected by CVE-2025-3527. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.pl |  Czech Republic | **,*** | |
| *****************.hr |  Croatia | **,*** | |
| *****.com | United States | **,*** | |
| ****.hr | Croatia | **,*** | |
| **************.org | United States | **,*** | |
| ****************.net | United States | **,*** | |
| ***********.com | United States | **,*** | |
| *******.com | United States | **,*** | |
| ************.org | United States | **,*** | |
| *******************************.org | United States | **,*** |
FAQ
CVE-2025-3527 is Missing Authorization in Eventon Premium
A total of 13,666 websites have been identified as vulnerable to CVE-2025-3527, based on global website indexing conducted by WebTechSurvey.
The Eventon Premium is affected by the CVE-2025-3527 vulnerability.
Eventon Premium versions up to and including 4.9.6 are vulnerable to CVE-2025-3527.