CVE-2026-10029 Overview
CVE-2026-10029 is a sensitive information exposure vulnerability in the Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress. All versions up to and including 1.3.13.1 are affected through the get_events function. Unauthenticated attackers can extract sensitive data from draft, pending, and private events that are otherwise inaccessible via public URLs. The exposed data includes virtual meeting URLs, physical location addresses, latitude/longitude coordinates, Google Maps links, and RSVP configuration. The vulnerability is classified as Missing Authorization [CWE-862].
Critical Impact
Unauthenticated remote attackers can harvest private event data including meeting URLs and location coordinates from any WordPress site running a vulnerable Event Koi Lite installation.
Affected Products
- Event Koi Lite WordPress plugin versions up to and including 1.3.13.1
- WordPress sites using the eventkoi-lite plugin for event management
- Sites exposing the plugin's get_events REST API endpoint
Discovery Timeline
- 2026-06-18 - CVE-2026-10029 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-10029
Vulnerability Analysis
The vulnerability resides in the Event Koi Lite plugin's REST API implementation, specifically in the get_events handler defined in includes/api/class-events.php and the related class-event.php and core/class-events.php files. The API endpoint returns event records without verifying whether the requester has permission to view non-public event statuses. WordPress event objects can have statuses such as draft, pending, or private, which are intentionally hidden from public consumption. The plugin's query logic returns these records regardless of caller authentication state.
Root Cause
The root cause is a missing authorization check [CWE-862] in the REST API callback. The get_events function does not apply a permission_callback that filters events by published status or verifies the caller's read_private_posts capability. As a result, the endpoint treats sensitive metadata fields — including virtual meeting links, geographic coordinates, and RSVP settings — as publicly readable.
Attack Vector
An unauthenticated attacker sends a network request to the plugin's REST API endpoint that resolves to get_events. The server returns a JSON payload containing all events, including those marked as draft, pending, or private. The attacker parses the response to extract virtual meeting URLs, physical addresses, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to non-public events. No authentication, user interaction, or privileges are required. See the Wordfence Vulnerability Intelligence report and the WordPress EventKoi Class Events API source for technical details.
Detection Methods for CVE-2026-10029
Indicators of Compromise
- Unauthenticated HTTP GET requests to WordPress REST API routes registered by the eventkoi-lite plugin, particularly those calling get_events.
- Outbound responses containing event records with status values of draft, pending, or private served to anonymous clients.
- Unusual request volume from a single IP enumerating event identifiers or paginated listings of the events endpoint.
Detection Strategies
- Audit web server access logs for anonymous requests to /wp-json/ routes belonging to the Event Koi plugin and correlate with response body sizes that indicate bulk data return.
- Inspect WordPress installations for the eventkoi-lite plugin at versions 1.3.13.1 or earlier using site inventory tooling.
- Review API responses in a test environment to confirm whether non-public events are returned to unauthenticated callers.
Monitoring Recommendations
- Forward web server and WordPress audit logs to a centralized logging or SIEM platform for analysis of REST API access patterns.
- Alert on spikes in anonymous requests to plugin-registered REST endpoints and on responses that include event status fields other than publish.
- Track the plugin version across the WordPress estate and flag any host running versions at or below 1.3.13.1.
How to Mitigate CVE-2026-10029
Immediate Actions Required
- Update the Event Koi Lite plugin to a version newer than 1.3.13.1 as soon as a fixed release is available from the WordPress plugin repository.
- Inventory all WordPress sites for the eventkoi-lite plugin and identify any instance running a vulnerable version.
- Treat any sensitive data previously stored in draft, pending, or private events — including meeting URLs and location coordinates — as potentially exposed and rotate them.
Patch Information
Review the WordPress EventKoi Changeset Log for the source code changes addressing this issue. Administrators should upgrade to the latest available release of the Event Koi Lite plugin via the WordPress admin dashboard or by replacing the plugin directory with the patched version.
Workarounds
- Deactivate and remove the Event Koi Lite plugin until a patched version can be installed if the plugin is not actively required.
- Use a web application firewall rule to block unauthenticated requests to the plugin's REST API routes, restricting access to authenticated administrative users.
- Avoid storing sensitive virtual meeting URLs or precise location data in draft, pending, or private events while the vulnerability remains unpatched.
# Example WAF rule concept - block unauthenticated access to the plugin's REST routes
# (adapt to your WAF syntax)
location ~* /wp-json/eventkoi/ {
if ($http_cookie !~ "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
