Home

Description

The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more.

PUBLISHED Reserved 2025-07-14 | Published 2025-11-08 | Updated 2025-11-08 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-07-14:Vendor Notified
2025-11-07:Disclosed

Credits

Friderika Baranyai finder

References

www.wordfence.com/...-fdb0-4838-b733-fc4d7a4ff016?source=cve

themeforest.net/...ent-multipurpose-wordpress-theme/20846579

cve.org (CVE-2025-7663)

nvd.nist.gov (CVE-2025-7663)

Download JSON