What is CVE-2025-14507?

CVE-2025-14507 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14507?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14507.

How can I protect against CVE-2025-14507?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14507.

PatchLeaks - Analysis Report Folder Analysis cache/eventprime-event-calendar-management_4.2.7.0 → cache/eventprime-event-calendar-management_4.2.8.0

event-prime.php AI: No vulnerabilities

--- cache/eventprime-event-calendar-management_4.2.7.0/event-prime.php	2026-01-13 11:24:33.912038697 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/event-prime.php	2026-01-13 11:24:37.692272126 +0000@@ -16,7 +16,7 @@  * Plugin Name:       EventPrime – Modern Events Calendar, Bookings and Tickets
  * Plugin URI:        https://theeventprime.com
  * Description:       Beginner-friendly Events Calendar plugin to create free as well as paid Events. Includes Event Types, Event Sites & Performers too.
- * Version:           4.2.7.0
+ * Version:           4.2.8.0
  * Author:            EventPrime Event Calendar
  * Author URI:        https://theeventprime.com/
  * License:           GPL-2.0+
@@ -35,7 +35,7 @@  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'EVENTPRIME_VERSION', '4.2.7.0' );
+define( 'EVENTPRIME_VERSION', '4.2.8.0' );
 define('EM_DB_VERSION',4.0);
 if( ! defined( 'EP_PLUGIN_FILE' ) ) {
     define( 'EP_PLUGIN_FILE', __FILE__ );

AI Analysis

Vulnerability Existed: no

No Security Vulnerabilities Detected

Explanation:
This diff contains only version number updates in the EventPrime plugin file (event-prime.php). The changes are:
1. Plugin header version update from 4.2.7.0 to 4.2.8.0 (line 19)
2. PHP constant definition update from 4.2.7.0 to 4.2.8.0 (line 38)

These are benign metadata changes with no security implications. Version strings in comments and constants do not introduce or fix vulnerabilities. No code logic, security checks, input validation, authentication mechanisms, or any other security-relevant functionality has been modified.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

includes/class-eventprime-dbhandler.php AI: No vulnerabilities

--- cache/eventprime-event-calendar-management_4.2.7.0/includes/class-eventprime-dbhandler.php	2026-01-13 11:24:33.924039438 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/includes/class-eventprime-dbhandler.php	2026-01-13 11:24:37.712273361 +0000@@ -4011,7 +4011,8 @@ 						}
 					}
 					$counter++;
-					do_action( 'ep_after_edit_event_child_data', $child_post->ID, $child_post );
+					do_action( 'ep_after_edit_event_child_data', $child_post->ID, $child_post,$post_id);
+                                        
 				}
 			}
 		}

AI Analysis

I'll analyze this code diff for security vulnerabilities.

Vulnerability Existed: no

[No Vulnerability Identified] - [N/A] - [includes/class-eventprime-dbhandler.php] [Lines 4014]

Old Code:
```php
do_action( 'ep_after_edit_event_child_data', $child_post->ID, $child_post );
```

Fixed Code:
```php
do_action( 'ep_after_edit_event_child_data', $child_post->ID, $child_post,$post_id);
```

Explanation:
This change adds an additional parameter (`$post_id`) to the WordPress `do_action()` hook call. This is a parameter addition to an action hook, not a security fix. The modification allows the hook to receive the parent post ID along with the child post information, which could be useful for plugin developers hooking into this action.

There are no security vulnerabilities in this change. The code does not introduce any:
- SQL injection risks (no database queries modified)
- Cross-site scripting (XSS) vulnerabilities (no user input sanitization issues)
- Authentication/authorization bypass
- Data exposure
- Command injection
- Path traversal
- CSRF vulnerabilities

The change is functionally neutral from a security perspective and appears to be a feature enhancement to pass additional context to hooked functions.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

includes/class-eventprime-functions.php AI: No vulnerabilities

--- cache/eventprime-event-calendar-management_4.2.7.0/includes/class-eventprime-functions.php	2026-01-13 11:24:33.928039685 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/includes/class-eventprime-functions.php	2026-01-13 11:24:37.716273608 +0000@@ -4047,13 +4047,13 @@ 
     // list all extension
     public function ep_list_all_exts() {
-        $exts = array('Live Seating', 'Events Import Export', 'Stripe Payments', 'Offline Payments', 'WooCommerce Integration', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Zapier Integration', 'Advanced Reports', 'Advanced Checkout Fields', 'Elementor Integration', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','HoneyPot Security','Turnstile Antispam Security','Event Reminder Emails','Demo Data','Square Payments','hCaptcha Security');
+        $exts = array('Live Seating', 'Events Import Export', 'Stripe Payments', 'Offline Payments', 'WooCommerce Integration', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Zapier Integration', 'Advanced Reports', 'Advanced Checkout Fields', 'Elementor Integration', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','HoneyPot Security','Turnstile Antispam Security','Event Reminder Emails','Demo Data','Square Payments','hCaptcha Security','Advanced Seat Plan Builder');
         return $exts;
     }
 
     // get premium extension list
     public function ep_load_premium_extension_list() {
-        $premium_ext_list = array('Live Seating', 'Stripe Payments', 'Offline Payments', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Advanced Reports', 'Advanced Checkout Fields', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','Turnstile Antispam Security','Event Reminder Emails','Square Payments','hCaptcha Security');
+        $premium_ext_list = array('Live Seating', 'Stripe Payments', 'Offline Payments', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Advanced Reports', 'Advanced Checkout Fields', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','Turnstile Antispam Security','Event Reminder Emails','Square Payments','hCaptcha Security','Advanced Seat Plan Builder');
         return $premium_ext_list;
     }
 
@@ -5534,6 +5534,29 @@                 $data['image'] = 'hcaptcha-integration.png';
                 $data['desc'] = "This extension adds hCaptcha to login, registration, and event booking forms, securing them against bots and automated abuse.";
                 break;
+                
+            case 'Advanced Seat Plan Builder':
+                $data['url'] = 'https://theeventprime.com/all-extensions/advanced-seat-plan-builder/';
+                $data['title'] = 'Advanced Seat Plan Builder';
+                if (in_array('eventprime-advanced-seat-plan-builder.php', $installed_plugin_file)) {
+                    $data['button'] = 'Activate';
+                    $data['class_name'] = 'ep-activate-now-btn';
+                    $file_key = array_search('eventprime-advanced-seat-plan-builder.php', $installed_plugin_file);
+                    if (!empty($file_key)) {
+                        $data['is_installed'] = 1;
+                    }
+                    $data['url'] = $this->em_get_extension_activation_url($installed_plugin_url[$file_key]);
+                }
+                $data['is_activate'] = class_exists("Eventprime_Advanced_Live_Seating");
+                if ($data['is_activate']) {
+                    $data['button'] = 'Setting';
+                    $data['class_name'] = 'ep-option-now-btn';
+                    $data['url'] = admin_url('edit.php?post_type=em_event&page=eventprime_seat_plans');
+                }
+                $data['is_free'] = !$this->ep_check_for_premium_extension('Advanced Seat Plan Builder');
+                $data['image'] = 'advanced-seat-plan-builder.png';
+                $data['desc'] = "Design advanced custom seating maps with shapes, rotation, and per-seat amenities, icons, and color-coded ticket zones.";
+                break;
 
             case 'Demo Data':
                 $data['url'] = 'https://theeventprime.com/all-extensions/demo-data/';

AI Analysis

Vulnerability Existed: no

No Security Vulnerabilities Detected - includes/class-eventprime-functions.php [Lines 4050, 4057, 5537-5559]

Old Code:
```php
$exts = array('Live Seating', 'Events Import Export', 'Stripe Payments', 'Offline Payments', 'WooCommerce Integration', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Zapier Integration', 'Advanced Reports', 'Advanced Checkout Fields', 'Elementor Integration', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','HoneyPot Security','Turnstile Antispam Security','Event Reminder Emails','Demo Data','Square Payments','hCaptcha Security');

$premium_ext_list = array('Live Seating', 'Stripe Payments', 'Offline Payments', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Advanced Reports', 'Advanced Checkout Fields', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','Turnstile Antispam Security','Event Reminder Emails','Square Payments','hCaptcha Security');
```

Fixed Code:
```php
$exts = array('Live Seating', 'Events Import Export', 'Stripe Payments', 'Offline Payments', 'WooCommerce Integration', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Zapier Integration', 'Advanced Reports', 'Advanced Checkout Fields', 'Elementor Integration', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','HoneyPot Security','Turnstile Antispam Security','Event Reminder Emails','Demo Data','Square Payments','hCaptcha Security','Advanced Seat Plan Builder');

$premium_ext_list = array('Live Seating', 'Stripe Payments', 'Offline Payments', 'Event Sponsors', 'Attendees List', 'EventPrime Invoices', 'Coupon Codes', 'Guest Bookings', 'EventPrime Zoom Integration', 'Event List Widgets', 'Admin Attendee Bookings', 'EventPrime MailPoet', 'Twilio Text Notifications', 'Event Tickets', 'Advanced Reports', 'Advanced Checkout Fields', 'Mailchimp Integration', 'User Feedback', 'RSVP', 'WooCommerce Checkout', 'Ratings and Reviews','Attendee Event Check In','Waiting List','Turnstile Antispam Security','Event Reminder Emails','Square Payments','hCaptcha Security','Advanced Seat Plan Builder');

case 'Advanced Seat Plan Builder':
    $data['url'] = 'https://theeventprime.com/all-extensions/advanced-seat-plan-builder/';
    $data['title'] = 'Advanced Seat Plan Builder';
    if (in_array('eventprime-advanced-seat-plan-builder.php', $installed_plugin_file)) {
        $data['button'] = 'Activate';
        $data['class_name'] = 'ep-activate-now-btn';
        $file_key = array_search('eventprime-advanced-seat-plan-builder.php', $installed_plugin_file);
        if (!empty($file_key)) {
            $data['is_installed'] = 1;
        }
        $data['url'] = $this->em_get_extension_activation_url($installed_plugin_url[$file_key]);
    }
    $data['is_activate'] = class_exists("Eventprime_Advanced_Live_Seating");
    if ($data['is_activate']) {
        $data['button'] = 'Setting';
        $data['class_name'] = 'ep-option-now-btn';
        $data['url'] = admin_url('edit.php?post_type=em_event&page=eventprime_seat_plans');
    }
    $data['is_free'] = !$this->ep_check_for_premium_extension('Advanced Seat Plan Builder');
    $data['image'] = 'advanced-seat-plan-builder.png';
    $data['desc'] = "Design advanced custom seating maps with shapes, rotation, and per-seat amenities, icons, and color-coded ticket zones.";
    break;
```

Explanation:
This diff contains only data structure updates and feature configuration additions. The changes are:

1. **Extension list updates** (lines 4050, 4057): Adding 'Advanced Seat Plan Builder' to extension arrays - this is a whitelist maintenance operation with no security implications.

2. **New case statement** (lines 5537-5559): Adds handling for the new 'Advanced Seat Plan Builder' extension with configuration similar to existing extensions. The code uses:
   - Hardcoded URLs (safe)
   - `in_array()` for whitelist checking (safe use)
   - `array_search()` with proper index validation (safe)
   - `class_exists()` for capability checking (safe)
   - WordPress API functions like `admin_url()` (safe)
   - Existing helper methods like `em_get_extension_activation_url()` and `ep_check_for_premium_extension()` (assumed safe)

No security vulnerabilities are introduced or fixed in this diff. These are routine maintenance changes for adding a new extension to the plugin's extension management system.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

includes/class-eventprime-license.php AI: No vulnerabilities

--- cache/eventprime-event-calendar-management_4.2.7.0/includes/class-eventprime-license.php	2026-01-13 11:24:33.928039685 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/includes/class-eventprime-license.php	2026-01-13 11:24:37.720273855 +0000@@ -443,6 +443,7 @@             'Square_Payment_Integration'=>array(40850,'Square Payments','paid'),
             'Eventprime_Hcaptcha_Integration'=>array(40856,'hCaptcha Security','paid'),
             'Eventprime_Demo_Data'=>array(35183,'Demo Data','free'),
+            'Eventprime_Advanced_Live_Seating'=>array(42196,'Advanced Seat Plan Builder','paid'),
         );
         return $extensions;
     }
@@ -1063,6 +1064,14 @@         'admin_url' => 'edit.php?post_type=em_event&page=ep-demo-data',
         'image' => 'ep-demo-data-icon.png',
         'desc' => "The purpose of this extension is to help users quickly set up their EventPrime installation with demo events to showcase the plugin’s features. The extension will allow users to generate demo events, with the option to include demo user accounts to show booking details."
+    ],
+        
+    'Eventprime_Advanced_Live_Seating' => [
+        'url' => 'https://theeventprime.com/all-extensions/advanced-seat-plan-builder/',
+        'slug' => 'eventprime-advanced-seat-plan-builder',
+        'admin_url' => 'edit.php?post_type=em_event&page=eventprime_seat_plans',
+        'image' => 'advanced-seat-plan-builder.png',
+        'desc' => "Design advanced custom seating maps with shapes, rotation, and per-seat amenities, icons, and color-coded ticket zones."
     ]
 ];

AI Analysis

Vulnerability Existed: no

No Security Vulnerabilities Detected - [N/A] - includes/class-eventprime-license.php [446, 1067-1076]

Old Code:
```php
'Eventprime_Demo_Data'=>array(35183,'Demo Data','free'),
```

Fixed Code:
```php
'Eventprime_Demo_Data'=>array(35183,'Demo Data','free'),
'Eventprime_Advanced_Live_Seating'=>array(42196,'Advanced Seat Plan Builder','paid'),
```

and

Old Code:
```php
'desc' => "The purpose of this extension is to help users quickly set up their EventPrime installation with demo events to showcase the plugin's features. The extension will allow users to generate demo events, with the option to include demo user accounts to show booking details."
     ]
```

Fixed Code:
```php
'desc' => "The purpose of this extension is to help users quickly set up their EventPrime installation with demo events to showcase the plugin's features. The extension will allow users to generate demo events, with the option to include demo user accounts to show booking details."
    ],
        
    'Eventprime_Advanced_Live_Seating' => [
        'url' => 'https://theeventprime.com/all-extensions/advanced-seat-plan-builder/',
        'slug' => 'eventprime-advanced-seat-plan-builder',
        'admin_url' => 'edit.php?post_type=em_event&page=eventprime_seat_plans',
        'image' => 'advanced-seat-plan-builder.png',
        'desc' => "Design advanced custom seating maps with shapes, rotation, and per-seat amenities, icons, and color-coded ticket zones."
     ]
```

Explanation:
This diff adds a new extension entry ('Eventprime_Advanced_Live_Seating') to the license management configuration. The changes are purely additive and structural, adding configuration data for a new feature. All values are hardcoded strings and URLs from the official theeventprime.com domain. There is no user input processing, SQL queries, file operations, or data handling that could introduce security vulnerabilities. The strings are properly quoted and formatted. No injection vectors, authentication bypasses, privilege escalations, or other security issues are present in this code addition.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

includes/class-eventprime-rest-api.php AI: 2 vulnerabilities 1 false positive, 1 true positive

--- cache/eventprime-event-calendar-management_4.2.7.0/includes/class-eventprime-rest-api.php	2026-01-13 11:24:33.932039932 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/includes/class-eventprime-rest-api.php	2026-01-13 11:24:37.720273855 +0000@@ -76,7 +76,7 @@             wp_send_json(
                 array(
                     'status'  => 'error',
-                    'message' => __( 'EventPrime API is disabled.', 'eventprime' ),
+                    'message' => esc_html__( 'EventPrime API is disabled.', 'eventprime' ),
                     'code'    => 'ep_api_disabled',
                 )
             );
@@ -950,7 +950,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -967,7 +967,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -983,7 +983,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -997,7 +997,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1084,7 +1084,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1102,7 +1102,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1120,15 +1120,15 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
         }
         
         // Require capability to view bookings
-        if (!is_user_logged_in() || !current_user_can('edit_posts')) {
-            return new WP_Error( 'rest_forbidden', __( 'You are not allowed to access bookings.', 'eventprime-event-calendar-management' ), array( 'status' => 403 ) );
+        if (!is_user_logged_in() || !current_user_can('manage_options')) {
+            return new WP_Error( 'rest_forbidden', esc_html__( 'You are not allowed to access bookings.', 'eventprime-event-calendar-management' ), array( 'status' => 403 ) );
         }
         
         return true;
@@ -1142,7 +1142,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1156,7 +1156,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1171,7 +1171,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -1185,7 +1185,7 @@             if ( $check instanceof WP_REST_Response ) {
                 $data    = $check->get_data();
                 $status  = $check->get_status();
-                $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                 return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
             }
             return $check;
@@ -2535,7 +2535,7 @@                 if ( $check instanceof WP_REST_Response ) {
                     $data    = $check->get_data();
                     $status  = $check->get_status();
-                    $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                    $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                     return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
                 }
                 return $check;
@@ -2562,7 +2562,7 @@                     if ( $check instanceof WP_REST_Response ) {
                         $data    = $check->get_data();
                         $status  = $check->get_status();
-                        $message = isset( $data['message'] ) ? $data['message'] : __( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
+                        $message = isset( $data['message'] ) ? $data['message'] : esc_html__( 'Invalid or missing access token.', 'eventprime-event-calendar-management' );
                         return new WP_Error( 'rest_forbidden', $message, array( 'status' => $status ? $status : 401 ) );
                     }
                     return $check;
@@ -3056,10 +3056,10 @@                 case 'failed_booking':
                     return $helpers->all_bookings_data( 'failed' );
                 default:
-                    return array( 'status' => 'error', 'message' => __( 'Unknown trigger', 'eventprime-event-calendar-management' ) );
+                    return array( 'status' => 'error', 'message' => esc_html__( 'Unknown trigger', 'eventprime-event-calendar-management' ) );
             }
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers are not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers are not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3110,7 +3110,7 @@         if ( $helpers ) {
             return $helpers->all_bookings_data( $status );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3123,9 +3123,9 @@                 $performer = isset( $res['performer'] ) ? $res['performer'] : $res;
                 return array( 'status' => 'success', 'count' => 1, 'performers' => array( $performer ) );
             }
-            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : __( 'No performers found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : esc_html__( 'No performers found.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3138,9 +3138,9 @@                 $organizer = isset( $res['organizer'] ) ? $res['organizer'] : $res;
                 return array( 'status' => 'success', 'count' => 1, 'organizers' => array( $organizer ) );
             }
-            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : __( 'No organizers found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : esc_html__( 'No organizers found.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3153,9 +3153,9 @@                 $venue = isset( $res['venue'] ) ? $res['venue'] : $res;
                 return array( 'status' => 'success', 'count' => 1, 'venues' => array( $venue ) );
             }
-            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : __( 'No venues found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : esc_html__( 'No venues found.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3170,7 +3170,7 @@             }
             return $res;
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3191,9 +3191,9 @@                     return array( 'status' => 'success', 'count' => count( $res['events'] ), 'events' => $res['events'] );
                 }
             }
-            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : __( 'No events found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : esc_html__( 'No events found.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message'=> __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message'=> esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     /**
@@ -3209,9 +3209,9 @@             if ( is_object( $validated ) || is_array( $validated ) ) {
                 return array( 'status' => 'success', 'count' => 1, 'event' => $validated );
             }
-            return array( 'status' => 'error', 'message' => __( 'Event validation failed.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => esc_html__( 'Event validation failed.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     protected function integration_get_event_sample( $action ) {
@@ -3226,9 +3226,9 @@             if ( isset( $res['event_id'] ) ) {
                 return array( 'status' => 'success', 'count' => 1, 'events' => array( array( 'event_id' => $res['event_id'], 'event_name' => isset( $res['event_name'] ) ? $res['event_name'] : '' ) ) );
             }
-            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : __( 'No events found for sample data.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => isset( $res['message'] ) ? $res['message'] : esc_html__( 'No events found for sample data.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     protected function integration_all_events_list() {
@@ -3238,9 +3238,9 @@             if ( ! empty( $res ) ) {
                 return array( 'status' => 'success', 'count' => count( $res ), 'events' => $res );
             }
-            return array( 'status' => 'error', 'message' => __( 'No events found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => esc_html__( 'No events found.', 'eventprime-event-calendar-management' ) );
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     protected function integration_get_tickets_by_event( $params ) {
@@ -3252,7 +3252,7 @@             }
             return $res;
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     protected function integration_all_terms( $taxonomy, $params = array() ) {
@@ -3260,7 +3260,7 @@             case 'em_event_organizer':
                 $collection = $this->ep_fetch_organizers_collection( $params );
                 if ( empty( $collection['items'] ) ) {
-                    return array( 'status' => 'error', 'message' => __( 'No terms found.', 'eventprime-event-calendar-management' ) );
+                    return array( 'status' => 'error', 'message' => esc_html__( 'No terms found.', 'eventprime-event-calendar-management' ) );
                 }
                 return array(
                     'status'     => 'success',
@@ -3270,7 +3270,7 @@             case 'em_venue':
                 $collection = $this->ep_fetch_venues_collection( $params );
                 if ( empty( $collection['items'] ) ) {
-                    return array( 'status' => 'error', 'message' => __( 'No terms found.', 'eventprime-event-calendar-management' ) );
+                    return array( 'status' => 'error', 'message' => esc_html__( 'No terms found.', 'eventprime-event-calendar-management' ) );
                 }
                 return array(
                     'status' => 'success',
@@ -3280,7 +3280,7 @@             case 'em_event_type':
                 $collection = $this->ep_fetch_event_types_collection( $params );
                 if ( empty( $collection['items'] ) ) {
-                    return array( 'status' => 'error', 'message' => __( 'No terms found.', 'eventprime-event-calendar-management' ) );
+                    return array( 'status' => 'error', 'message' => esc_html__( 'No terms found.', 'eventprime-event-calendar-management' ) );
                 }
                 return array(
                     'status'      => 'success',
@@ -3291,7 +3291,7 @@ 
         $terms = get_terms( array( 'taxonomy' => $taxonomy, 'hide_empty' => false, 'orderby' => 'id', 'order' => 'DESC' ) );
         if ( is_wp_error( $terms ) || empty( $terms ) ) {
-            return array( 'status' => 'error', 'message' => __( 'No terms found.', 'eventprime-event-calendar-management' ) );
+            return array( 'status' => 'error', 'message' => esc_html__( 'No terms found.', 'eventprime-event-calendar-management' ) );
         }
         $out = array();
         foreach ( $terms as $t ) {
@@ -3311,7 +3311,7 @@     protected function integration_all_posts( $post_type ) {
         $args = array( 'post_type' => $post_type, 'posts_per_page' => -1, 'orderby' => 'date', 'order' => 'DESC' );
         $posts = get_posts( $args );
-        if ( empty( $posts ) ) return array( 'status' => 'error', 'message' => __( 'No posts found.', 'eventprime-event-calendar-management' ) );
+        if ( empty( $posts ) ) return array( 'status' => 'error', 'message' => esc_html__( 'No posts found.', 'eventprime-event-calendar-management' ) );
         $out = array();
         $epf = new Eventprime_Basic_Functions();
         foreach ( $posts as $p ) {
@@ -3332,7 +3332,7 @@             $res = $helpers->all_bookings_data( $status, $event_id );
             return $res;
         }
-        return array( 'status' => 'error', 'message' => __( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
+        return array( 'status' => 'error', 'message' => esc_html__( 'Integration helpers not available.', 'eventprime-event-calendar-management' ) );
     }
 
     protected function integration_get_booking_sample( $params ) {
@@ -3464,7 +3464,7 @@                 }
             }
             if ( $label === '' ) {
-                $label = __( 'Additional Fee', 'eventprime-event-calendar-management' );
+                $label = esc_html__( 'Additional Fee', 'eventprime-event-calendar-management' );
             }
             $price = 0;
             if ( isset( $fee['price'] ) && $fee['price'] !== '' ) {

AI Analysis

I'll analyze this security-focused diff for the EventPrime REST API class.

---

**Vulnerability 1:**

Vulnerability Existed: yes
FALSE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - includes/class-eventprime-rest-api.php - Lines 76-79, 950, 967, 983, 997, 1084, 1102, 1120, 1142, 1156, 1171, 1185, 2535, 2562, 3056, 3059, 3113, 3126, 3128, 3141, 3143, 3156, 3158, 3173, 3194, 3196, 3212, 3214, 3229, 3231, 3241, 3243, 3255, 3263, 3273, 3283, 3294, 3314, 3335, 3467

Old Code:
```php
'message' => __( 'EventPrime API is disabled.', 'eventprime' ),
```

Fixed Code:
```php
'message' => esc_html__( 'EventPrime API is disabled.', 'eventprime' ),
```

Explanation:
The diff shows a systematic replacement of `__()` function calls with `esc_html__()` function calls throughout the file. The `__()` function only performs translation in WordPress but does NOT escape HTML/special characters. When these messages are included in JSON responses via `wp_send_json()` or returned in arrays that may be output, unescaped user-controlled data or stored data could lead to XSS vulnerabilities. The `esc_html__()` function performs both translation AND HTML escaping, preventing XSS by converting special characters like `<`, `>`, `&`, `"`, and `'` to their HTML entities. This is a legitimate security fix for reflected/stored XSS prevention in API responses.

---

**Vulnerability 2:**

Vulnerability Existed: yes
TRUE POSITIVE

Broken Access Control - CWE-639 - includes/class-eventprime-rest-api.php - Lines 1130-1131

Old Code:
```php
if (!is_user_logged_in() || !current_user_can('edit_posts')) {
    return new WP_Error( 'rest_forbidden', __( 'You are not allowed to access bookings.', 'eventprime-event-calendar-management' ), array( 'status' => 403 ) );
}
```

Fixed Code:
```php
if (!is_user_logged_in() || !current_user_can('manage_options')) {
    return new WP_Error( 'rest_forbidden', esc_html__( 'You are not allowed to access bookings.', 'eventprime-event-calendar-management' ), array( 'status' => 403 ) );
}
```

Explanation:
This change tightens access control for the booking endpoint. The original code allowed any user with `edit_posts` capability (contributors, authors, editors, and admins) to access bookings data. The fix restricts this to only `manage_options` capability, which is limited to administrators. Booking data is sensitive and should not be accessible to regular contributors/authors. This prevents privilege escalation and unauthorized data access.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

public/partials/themes/default/profile-tpl.php AI: No vulnerabilities

--- cache/eventprime-event-calendar-management_4.2.7.0/public/partials/themes/default/profile-tpl.php	2026-01-13 11:24:34.012044873 +0000+++ cache/eventprime-event-calendar-management_4.2.8.0/public/partials/themes/default/profile-tpl.php	2026-01-13 11:24:37.828280524 +0000@@ -13,8 +13,8 @@                 <?php if( ! empty( $args->upcoming_bookings ) && count( $args->upcoming_bookings ) > 0 ) {?>
                     <span class="ep-bg-warning ep-rounded-5 ep-px-2 ep-py-1 ep-text-small ep-fw-bold"><?php echo absint( count( $args->upcoming_bookings ) );?></span><?php
                 } else{
-                    esc_html_e( 'No', 'eventprime-event-calendar-management');
-                }?>&nbsp;
+                    esc_html_e( 'no', 'eventprime-event-calendar-management');
+                }?>
                 <?php esc_html_e('events coming up!', 'eventprime-event-calendar-management');?>
             </div>
         </div>

AI Analysis

Vulnerability Existed: no

No CWE Vulnerability Identified

Old Code:
```php
esc_html_e( 'No', 'eventprime-event-calendar-management');
-                }?>&nbsp;
```

Fixed Code:
```php
esc_html_e( 'no', 'eventprime-event-calendar-management');
+                }?>
```

Explanation:
This diff contains only cosmetic and formatting changes with no security implications. The changes are:
1. Lowercase 'no' instead of 'No' - a minor string capitalization change that does not affect security
2. Removal of `&nbsp;` (non-breaking space) HTML entity - a whitespace formatting adjustment

Both `esc_html_e()` function calls properly escape the output, and the changes do not introduce, remove, or modify any security vulnerabilities. The escaping mechanism remains intact in both versions. This appears to be a routine UI/formatting update with no security fixes or regressions.

CVE Analysis Results:

CVE-2025-14507: No

View CVE Description

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

Analysis Report Folder Analysis cache/eventprime-event-calendar-management_4.2.7.0 → cache/eventprime-event-calendar-management_4.2.8.0 - CVE-2025-14507

Share this analysis

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results: