CVE-2026-10029 eventkoi CVE debrief

Who should care

Administrators and users of the Event Koi Lite plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability could allow attackers to gain access to sensitive information about events, potentially leading to further exploitation or unauthorized access.

Technical summary

The Event Koi Lite plugin for WordPress is vulnerable to Sensitive Information Exposure due to inadequate access controls on the get_events function. This allows unauthenticated attackers to extract sensitive data, including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration, from draft, pending, and private events. The vulnerability exists in all versions up to, and including, 1.3.13.1.

Defensive priority

High

Recommended defensive actions

• Update the Event Koi Lite plugin to the latest version (greater than 1.3.13.1) as soon as possible.
• Restrict access to sensitive event information to authorized users only.
• Implement additional security measures, such as monitoring for suspicious activity and limiting the amount of sensitive information displayed on public pages.
• Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
• Regularly review and update plugins and themes to ensure they are up-to-date and secure.
• Use secure protocols for data transmission, such as HTTPS, to protect sensitive information.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and the CVE.org website. The vulnerability was reported by [email protected] and has a CVSS score of 5.3, indicating a medium severity.

Official resources