Ovatheme Events Manager

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Basic Information

ID CVE-2025-6553

Source Wordfence

Published Oct 11, 2025 at 08:29

Affected Product

Vendor ovatheme

Product Ovatheme Events Manager

Version *

Affected Versions ovatheme Ovatheme Events Manager *

CWE Classification

CWE-434

References

{
    "lastseen": "",
    "description": "The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2025-10-11T08:29:15.689Z",
    "modified": "2025-10-11T08:29:15.689Z",
    "type": "cve",
    "title": "Ovatheme Events Manager <= 1.8.5 - Unauthenticated Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/808392a9-dbac-4896-8677-6ddc1213d80d?source=cve\nhttps://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579\nhttps://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log",
    "id": "CVE-2025-6553",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "ovatheme Ovatheme Events Manager *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Ovatheme Events Manager",
    "version": "*",
    "vendor": "ovatheme",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Ovatheme Events Manager <= 1.8.5 - Unauthenticated Arbitrary File Upload_CVE-2025-6553