A extreme privilege escalation vulnerability has been found within the in style WordPress plugin Eventin, placing greater than 10,000 web sites liable to full compromise.
The vulnerability, now tracked as CVE-2025-47539, permits unauthenticated attackers to create administrator accounts with none consumer interplay, giving them full management over affected web sites.
Safety researchers are urging web site homeowners to replace instantly to model 4.0.27, which incorporates a patch for this vital safety flaw.
The Eventin plugin, developed by Themewinter, is broadly used for occasion administration functionalities on WordPress websites.
Its in depth adoption throughout hundreds of internet sites makes this vulnerability notably regarding, as profitable exploitation may result in web site defacement, knowledge theft, malware injection, or use of the compromised websites in bigger botnet operations.
Patchstack researchers recognized that the vulnerability stems from an improperly secured REST API endpoint within the Eventin plugin that handles speaker imports.
The Vulnerability
The vulnerability was initially reported on April 19, 2025, by means of Patchstack’s Zero Day bug bounty program by safety researcher Denver Jackson, who acquired a $600 USD reward for the invention.
What makes this vulnerability notably harmful is its unauthenticated nature, requiring no login credentials or social engineering to take advantage of.
An attacker merely must ship a specifically crafted request to the susceptible endpoint to create an administrator-level account, after which they will entry the positioning’s admin dashboard by performing a password reset.
The technical evaluation reveals that the vulnerability exists within the /wp-json/eventin/v2/audio system/import REST API endpoint.
The core concern lies within the import_item_permissions_check() operate, which was carried out to easily return true with out performing any precise permission validation:-
public operate import_item_permissions_check($request) {
return true;
}
This implementation permits any unauthenticated consumer to entry the endpoint. Mixed with an absence of position validation when processing imported consumer knowledge, attackers may submit a CSV file containing their particulars with an administrator position specification:-
$args = [
‘first_name’ => !empty($row[‘name’]) ? $row[‘name’] : ”,
// Different consumer particulars…
‘position’ => !empty($row[‘role’]) ? $row[‘role’] : ”,
];
Themewinter addressed the vulnerability in model 4.0.27, launched on April 30, 2025, by implementing correct permission checks and limiting the allowed roles throughout consumer imports:
public operate import_item_permissions_check($request)
WordPress web site directors utilizing the Eventin plugin are strongly suggested to replace to model 4.0.27 or later instantly.
These unable to replace ought to think about quickly disabling the plugin till updates might be utilized, because the unauthenticated nature of this exploit makes it notably harmful within the wild.
How SOC Groups Save Time and Effort with ANY.RUN – Dwell webinar for SOC groups and managers
