EXECUTIVE SUMMARY:
A high-severity flaw has been found in a widely used WordPress event management plugin, scoring 9.8 on the CVSS scale. This flaw affects the feature that handles event speakers via a REST API endpoint. It allows anyone with no account to send a specially crafted file to the site. The server processes that file without checking permissions, creating an administrator user. An attacker who succeeds gains full control of the site. Over ten thousand sites using the plugin are at risk.