CVE-2025-3527

Name of the Vulnerable Software and Affected Versions: EventON Pro plugin for WordPress versions up to, and including, 4.9.6

Description: The issue is related to a missing capability check in the 'assets/lib/settings/settings.js' file, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page.

Recommendations: For versions up to, and including, 4.9.6, update to a version that fully patches the issue, as version 4.9.6 only partially addresses the vulnerability. As a temporary workaround, consider restricting access to the 'assets/lib/settings/settings.js' file to prevent unauthorized modifications.