Search

Find a vulnerability

Search criteria

    32 vulnerabilities found for eventin by themewinter

    CVE-2025-4796 (GCVE-0-2025-4796)

    Vulnerability from nvd – Published: 2025-08-08 18:26 – Updated: 2026-04-08 17:11
    VLAI
    Title
    Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
    Summary
    The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4796",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T18:57:51.340619Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T18:58:03.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.34",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user\u0027s identity or capability prior to updating their details like email in the \u0027Eventin\\Speaker\\Api\\SpeakerController::update_item\u0027 function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:11:41.513Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0d441d-1da5-45e7-8a14-ce178099c0cc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.28/core/speaker/Api/SpeakerController.php#L419"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3336972/wp-event-solution/trunk/core/speaker/Api/SpeakerController.php#file0"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-15T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-05-15T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Eventin \u003c= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4796",
        "datePublished": "2025-08-08T18:26:26.586Z",
        "dateReserved": "2025-05-15T17:20:16.666Z",
        "dateUpdated": "2026-04-08T17:11:41.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49321 (GCVE-0-2025-49321)

    Vulnerability from nvd – Published: 2025-06-27 11:52 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.28 - Cross Site Scripting (XSS) Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through <= 4.0.28.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.28 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:41
    Credits
    Nguyen Ngoc Quang Bach (maysbachs) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T14:37:56.711564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T14:47:12.677Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.29",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.28",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Ngoc Quang Bach (maysbachs) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:41:03.525Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.28.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through \u003c= 4.0.28."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:00.966Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-28-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.28 - Cross Site Scripting (XSS) Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-49321",
        "datePublished": "2025-06-27T11:52:32.006Z",
        "dateReserved": "2025-06-04T09:42:07.048Z",
        "dateUpdated": "2026-04-28T16:13:00.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47539 (GCVE-0-2025-47539)

    Vulnerability from nvd – Published: 2025-05-23 12:43 – Updated: 2026-04-28 16:12
    VLAI KEVIntel
    Title
    WordPress Eventin plugin <= 4.0.26 - Privilege Escalation Vulnerability
    Summary
    Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.26 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    Denver Jackson | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T16:36:24.686857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T16:42:00.759Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.27",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Denver Jackson | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:08.054Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.26.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through \u003c= 4.0.26."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:44.335Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-privilege-escalation-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.26 - Privilege Escalation Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47539",
        "datePublished": "2025-05-23T12:43:31.396Z",
        "dateReserved": "2025-05-07T09:39:53.906Z",
        "dateUpdated": "2026-04-28T16:12:44.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47445 (GCVE-0-2025-47445)

    Vulnerability from nvd – Published: 2025-05-14 11:37 – Updated: 2026-05-12 00:16
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.26 - Arbitrary File Download Vulnerability
    Summary
    Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.26 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47445",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-14T13:27:20.650330Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T00:16:18.055Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.27",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:56.092Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.26.\u003c/p\u003e"
                }
              ],
              "value": "Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through \u003c= 4.0.26."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:40.902Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.26 - Arbitrary File Download Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47445",
        "datePublished": "2025-05-14T11:37:49.467Z",
        "dateReserved": "2025-05-07T09:38:32.079Z",
        "dateUpdated": "2026-05-12T00:16:18.055Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3419 (GCVE-0-2025-3419)

    Vulnerability from nvd – Published: 2025-05-08 05:22 – Updated: 2026-04-08 16:36
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    Impacted products
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T14:11:17.752616Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-08T14:12:20.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:48.311Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-07T16:25:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.26 - Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3419",
        "datePublished": "2025-05-08T05:22:51.039Z",
        "dateReserved": "2025-04-07T14:50:06.932Z",
        "dateUpdated": "2026-04-08T16:36:48.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-39584 (GCVE-0-2025-39584)

    Vulnerability from nvd – Published: 2025-04-16 12:44 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.25 - Local File Inclusion Vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.25 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    theviper17 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-39584",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T14:27:47.991410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T14:28:05.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "theviper17 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:34.684Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.25.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through \u003c= 4.0.25."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:35.217Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-25-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.25 - Local File Inclusion Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-39584",
        "datePublished": "2025-04-16T12:44:22.763Z",
        "dateReserved": "2025-04-16T06:26:44.221Z",
        "dateUpdated": "2026-04-28T16:12:35.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1770 (GCVE-0-2025-1770)

    Vulnerability from nvd – Published: 2025-03-20 05:22 – Updated: 2026-04-08 16:56
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1770",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T15:11:08.732933Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T15:11:17.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the \u0027style\u0027 parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:18.670Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24baee-7003-449b-9072-d95fa1e26c8f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/upcoming-event-tab/style/tab-1.php#L53"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/events-calendar/events-calendar.php#L715"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3257023/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T17:03:49.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Authenticated (Contributor+) Local File Inclusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1770",
        "datePublished": "2025-03-20T05:22:34.878Z",
        "dateReserved": "2025-02-28T00:09:15.655Z",
        "dateUpdated": "2026-04-08T16:56:18.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1766 (GCVE-0-2025-1766)

    Vulnerability from nvd – Published: 2025-03-20 05:22 – Updated: 2026-04-08 17:32
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1766",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T15:10:46.195717Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T15:10:55.571Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027payment_complete\u0027 function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to \u0027completed\u0027, possibly resulting in financial loss."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:40.671Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"
            },
            {
              "url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3257023/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T17:03:39.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1766",
        "datePublished": "2025-03-20T05:22:35.308Z",
        "dateReserved": "2025-02-27T19:26:34.096Z",
        "dateUpdated": "2026-04-08T17:32:40.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26964 (GCVE-0-2025-26964)

    Vulnerability from nvd – Published: 2025-02-25 14:17 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.20 - Local File Inclusion vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.20 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Peter Thaleikis | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26964",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:55:43.356119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:55:57.382Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.20",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:28.353Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.20.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through \u003c= 4.0.20."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:44.838Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-20-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.20 - Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-26964",
        "datePublished": "2025-02-25T14:17:57.457Z",
        "dateReserved": "2025-02-17T11:51:33.745Z",
        "dateUpdated": "2026-04-28T16:11:44.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-56213 (GCVE-0-2024-56213)

    Vulnerability from nvd – Published: 2024-12-31 10:02 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.7 - Contributor+ Limited Local File Inclusion vulnerability
    Summary
    Path Traversal: '.../...//' vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-35 - Path Traversal: '.../...//'
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:31
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-56213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-02T19:28:10.658906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-02T19:28:19.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:31:04.431Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through \u003c= 4.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "Path Traversal: \u0027.../...//\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:55.181Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-7-contributor-limited-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.7 - Contributor+ Limited Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-56213",
        "datePublished": "2024-12-31T10:02:21.132Z",
        "dateReserved": "2024-12-18T19:03:54.296Z",
        "dateUpdated": "2026-04-28T16:10:55.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49756 (GCVE-0-2023-49756)

    Vulnerability from nvd – Published: 2024-12-09 11:30 – Updated: 2026-05-11 22:20
    VLAI
    Title
    WordPress Eventin plugin <= 3.3.52 - Authenticated Notice Dismissal Vulnerability
    Summary
    Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 3.3.52 (custom)
    Create a notification for this product.
    Date Public
    2026-04-22 14:35
    Credits
    Abdi Pranata | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49756",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T13:50:43.834472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T22:20:29.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.3.53",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.3.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdi Pranata | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:35:10.629Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 3.3.52.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through \u003c= 3.3.52."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-29T09:51:52.336Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-3-3-44-authenticated-notice-dismissal-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 3.3.52 - Authenticated Notice Dismissal Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49756",
        "datePublished": "2024-12-09T11:30:15.153Z",
        "dateReserved": "2023-11-30T13:22:02.831Z",
        "dateUpdated": "2026-05-11T22:20:29.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7149 (GCVE-0-2024-7149)

    Vulnerability from nvd – Published: 2024-09-27 13:52 – Updated: 2026-04-08 17:01
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.8 - Authenticated (Contributor+) Local File Inclusion
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    arraytics Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) Affected: 0 , ≤ 4.0.8 (semver)
    Create a notification for this product.
    themewinter eventin Affected: 0 , ≤ 4.0.8 (semver)
        cpe:2.3:a:themewinter:eventin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:themewinter:eventin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "eventin",
                "vendor": "themewinter",
                "versions": [
                  {
                    "lessThanOrEqual": "4.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7149",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-27T15:03:13.900374Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-27T16:21:52.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:01:18.970Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75537b61-5622-4b35-b80e-389526bd99f0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/speakers/speakers.php#L483"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events/events.php#L754"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule/schedule.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule-list/schedule-list.php#L293"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events-tab/style/tab-1.php#L42"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157415/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.8 - Authenticated (Contributor+) Local File Inclusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7149",
        "datePublished": "2024-09-27T13:52:55.422Z",
        "dateReserved": "2024-07-26T21:05:54.791Z",
        "dateUpdated": "2026-04-08T17:01:18.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-39648 (GCVE-0-2024-39648)

    Vulnerability from nvd – Published: 2024-08-01 21:56 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.5 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Themewinter Eventin Affected: n/a , ≤ 4.0.5 (custom)
    Create a notification for this product.
    Credits
    justakazh (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39648",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-02T18:16:43.044596Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:49.894Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Themewinter",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.5",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "justakazh (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.\u003cp\u003eThis issue affects Eventin: from n/a through 4.0.5.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:07.704Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-4-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 4.0.6 or a higher version."
                }
              ],
              "value": "Update to 4.0.6 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Eventin plugin \u003c= 4.0.5 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-39648",
        "datePublished": "2024-08-01T21:56:27.877Z",
        "dateReserved": "2024-06-26T21:18:49.917Z",
        "dateUpdated": "2026-04-28T16:10:07.704Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37507 (GCVE-0-2024-37507)

    Vulnerability from nvd – Published: 2024-07-21 07:21 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 3.3.57 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Themewinter Eventin Affected: n/a , ≤ 3.3.57 (custom)
    Create a notification for this product.
    Credits
    justakazh (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37507",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T13:44:41.431606Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-22T20:29:12.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:57:39.538Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-3-3-57-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Themewinter",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.3.57",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "justakazh (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.\u003cp\u003eThis issue affects Eventin: from n/a through 3.3.57.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:00.461Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-3-3-57-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 4.0.0 or a higher version."
                }
              ],
              "value": "Update to 4.0.0 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Eventin plugin \u003c= 3.3.57 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-37507",
        "datePublished": "2024-07-21T07:21:16.160Z",
        "dateReserved": "2024-06-09T13:11:08.416Z",
        "dateUpdated": "2026-04-28T16:10:00.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6033 (GCVE-0-2024-6033)

    Vulnerability from nvd – Published: 2024-07-17 06:45 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T13:18:25.340637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-18T13:39:16.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:03.214Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3117477/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the \u0027import_file\u0027 function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:19.652Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3117477/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-16T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6033",
        "datePublished": "2024-07-17T06:45:07.709Z",
        "dateReserved": "2024-06-15T00:10:45.498Z",
        "dateUpdated": "2026-04-08T16:37:19.652Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4796 (GCVE-0-2025-4796)

    Vulnerability from cvelistv5 – Published: 2025-08-08 18:26 – Updated: 2026-04-08 17:11
    VLAI
    Title
    Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
    Summary
    The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4796",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T18:57:51.340619Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T18:58:03.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.34",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user\u0027s identity or capability prior to updating their details like email in the \u0027Eventin\\Speaker\\Api\\SpeakerController::update_item\u0027 function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:11:41.513Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0d441d-1da5-45e7-8a14-ce178099c0cc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.28/core/speaker/Api/SpeakerController.php#L419"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3336972/wp-event-solution/trunk/core/speaker/Api/SpeakerController.php#file0"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-15T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-05-15T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-08-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Eventin \u003c= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4796",
        "datePublished": "2025-08-08T18:26:26.586Z",
        "dateReserved": "2025-05-15T17:20:16.666Z",
        "dateUpdated": "2026-04-08T17:11:41.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49321 (GCVE-0-2025-49321)

    Vulnerability from cvelistv5 – Published: 2025-06-27 11:52 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.28 - Cross Site Scripting (XSS) Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through <= 4.0.28.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.28 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:41
    Credits
    Nguyen Ngoc Quang Bach (maysbachs) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T14:37:56.711564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T14:47:12.677Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.29",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.28",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Ngoc Quang Bach (maysbachs) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:41:03.525Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.28.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through \u003c= 4.0.28."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:00.966Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-28-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.28 - Cross Site Scripting (XSS) Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-49321",
        "datePublished": "2025-06-27T11:52:32.006Z",
        "dateReserved": "2025-06-04T09:42:07.048Z",
        "dateUpdated": "2026-04-28T16:13:00.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47539 (GCVE-0-2025-47539)

    Vulnerability from cvelistv5 – Published: 2025-05-23 12:43 – Updated: 2026-04-28 16:12
    VLAI KEVIntel
    Title
    WordPress Eventin plugin <= 4.0.26 - Privilege Escalation Vulnerability
    Summary
    Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.26 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    Denver Jackson | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T16:36:24.686857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T16:42:00.759Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.27",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Denver Jackson | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:08.054Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.26.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through \u003c= 4.0.26."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:44.335Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-privilege-escalation-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.26 - Privilege Escalation Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47539",
        "datePublished": "2025-05-23T12:43:31.396Z",
        "dateReserved": "2025-05-07T09:39:53.906Z",
        "dateUpdated": "2026-04-28T16:12:44.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47445 (GCVE-0-2025-47445)

    Vulnerability from cvelistv5 – Published: 2025-05-14 11:37 – Updated: 2026-05-12 00:16
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.26 - Arbitrary File Download Vulnerability
    Summary
    Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.26 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47445",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-14T13:27:20.650330Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T00:16:18.055Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.27",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:56.092Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.26.\u003c/p\u003e"
                }
              ],
              "value": "Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through \u003c= 4.0.26."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:40.902Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.26 - Arbitrary File Download Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47445",
        "datePublished": "2025-05-14T11:37:49.467Z",
        "dateReserved": "2025-05-07T09:38:32.079Z",
        "dateUpdated": "2026-05-12T00:16:18.055Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3419 (GCVE-0-2025-3419)

    Vulnerability from cvelistv5 – Published: 2025-05-08 05:22 – Updated: 2026-04-08 16:36
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    Impacted products
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T14:11:17.752616Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-08T14:12:20.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.26",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:48.311Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-07T16:25:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.26 - Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3419",
        "datePublished": "2025-05-08T05:22:51.039Z",
        "dateReserved": "2025-04-07T14:50:06.932Z",
        "dateUpdated": "2026-04-08T16:36:48.311Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-39584 (GCVE-0-2025-39584)

    Vulnerability from cvelistv5 – Published: 2025-04-16 12:44 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.25 - Local File Inclusion Vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.25 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    theviper17 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-39584",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T14:27:47.991410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T14:28:05.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.26",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "theviper17 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:34.684Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.25.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through \u003c= 4.0.25."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:35.217Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-25-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.25 - Local File Inclusion Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-39584",
        "datePublished": "2025-04-16T12:44:22.763Z",
        "dateReserved": "2025-04-16T06:26:44.221Z",
        "dateUpdated": "2026-04-28T16:12:35.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1766 (GCVE-0-2025-1766)

    Vulnerability from cvelistv5 – Published: 2025-03-20 05:22 – Updated: 2026-04-08 17:32
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1766",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T15:10:46.195717Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T15:10:55.571Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027payment_complete\u0027 function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to \u0027completed\u0027, possibly resulting in financial loss."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:32:40.671Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"
            },
            {
              "url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3257023/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T17:03:39.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1766",
        "datePublished": "2025-03-20T05:22:35.308Z",
        "dateReserved": "2025-02-27T19:26:34.096Z",
        "dateUpdated": "2026-04-08T17:32:40.671Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1770 (GCVE-0-2025-1770)

    Vulnerability from cvelistv5 – Published: 2025-03-20 05:22 – Updated: 2026-04-08 16:56
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1770",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T15:11:08.732933Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T15:11:17.756Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the \u0027style\u0027 parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:18.670Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24baee-7003-449b-9072-d95fa1e26c8f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/upcoming-event-tab/style/tab-1.php#L53"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/events-calendar/events-calendar.php#L715"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3257023/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-19T17:03:49.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Authenticated (Contributor+) Local File Inclusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1770",
        "datePublished": "2025-03-20T05:22:34.878Z",
        "dateReserved": "2025-02-28T00:09:15.655Z",
        "dateUpdated": "2026-04-08T16:56:18.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26964 (GCVE-0-2025-26964)

    Vulnerability from cvelistv5 – Published: 2025-02-25 14:17 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.20 - Local File Inclusion vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.20 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Peter Thaleikis | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26964",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:55:43.356119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:55:57.382Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.21",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.20",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:28.353Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.20.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through \u003c= 4.0.20."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:44.838Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-20-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.20 - Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-26964",
        "datePublished": "2025-02-25T14:17:57.457Z",
        "dateReserved": "2025-02-17T11:51:33.745Z",
        "dateUpdated": "2026-04-28T16:11:44.838Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-56213 (GCVE-0-2024-56213)

    Vulnerability from cvelistv5 – Published: 2024-12-31 10:02 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.7 - Contributor+ Limited Local File Inclusion vulnerability
    Summary
    Path Traversal: '.../...//' vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-35 - Path Traversal: '.../...//'
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 4.0.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:31
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-56213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-02T19:28:10.658906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-02T19:28:19.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:31:04.431Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 4.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Path Traversal: \u0027.../...//\u0027 vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through \u003c= 4.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-35",
                  "description": "Path Traversal: \u0027.../...//\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:55.181Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-7-contributor-limited-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 4.0.7 - Contributor+ Limited Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-56213",
        "datePublished": "2024-12-31T10:02:21.132Z",
        "dateReserved": "2024-12-18T19:03:54.296Z",
        "dateUpdated": "2026-04-28T16:10:55.181Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49756 (GCVE-0-2023-49756)

    Vulnerability from cvelistv5 – Published: 2024-12-09 11:30 – Updated: 2026-05-11 22:20
    VLAI
    Title
    WordPress Eventin plugin <= 3.3.52 - Authenticated Notice Dismissal Vulnerability
    Summary
    Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Arraytics Eventin Affected: 0 , ≤ 3.3.52 (custom)
    Create a notification for this product.
    Date Public
    2026-04-22 14:35
    Credits
    Abdi Pranata | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49756",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-09T13:50:43.834472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T22:20:29.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Arraytics",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.3.53",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.3.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdi Pranata | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:35:10.629Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Eventin: from n/a through \u003c= 3.3.52.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through \u003c= 3.3.52."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-29T09:51:52.336Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-3-3-44-authenticated-notice-dismissal-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Eventin plugin \u003c= 3.3.52 - Authenticated Notice Dismissal Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49756",
        "datePublished": "2024-12-09T11:30:15.153Z",
        "dateReserved": "2023-11-30T13:22:02.831Z",
        "dateUpdated": "2026-05-11T22:20:29.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7149 (GCVE-0-2024-7149)

    Vulnerability from cvelistv5 – Published: 2024-09-27 13:52 – Updated: 2026-04-08 17:01
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.8 - Authenticated (Contributor+) Local File Inclusion
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    arraytics Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) Affected: 0 , ≤ 4.0.8 (semver)
    Create a notification for this product.
    themewinter eventin Affected: 0 , ≤ 4.0.8 (semver)
        cpe:2.3:a:themewinter:eventin:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:themewinter:eventin:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "eventin",
                "vendor": "themewinter",
                "versions": [
                  {
                    "lessThanOrEqual": "4.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7149",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-27T15:03:13.900374Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-27T16:21:52.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:01:18.970Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75537b61-5622-4b35-b80e-389526bd99f0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/speakers/speakers.php#L483"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events/events.php#L754"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule/schedule.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule-list/schedule-list.php#L293"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events-tab/style/tab-1.php#L42"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157415/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.8 - Authenticated (Contributor+) Local File Inclusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7149",
        "datePublished": "2024-09-27T13:52:55.422Z",
        "dateReserved": "2024-07-26T21:05:54.791Z",
        "dateUpdated": "2026-04-08T17:01:18.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-39648 (GCVE-0-2024-39648)

    Vulnerability from cvelistv5 – Published: 2024-08-01 21:56 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 4.0.5 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Themewinter Eventin Affected: n/a , ≤ 4.0.5 (custom)
    Create a notification for this product.
    Credits
    justakazh (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-39648",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-02T18:16:43.044596Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:49.894Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Themewinter",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.6",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "4.0.5",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "justakazh (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.\u003cp\u003eThis issue affects Eventin: from n/a through 4.0.5.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:07.704Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-4-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 4.0.6 or a higher version."
                }
              ],
              "value": "Update to 4.0.6 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Eventin plugin \u003c= 4.0.5 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-39648",
        "datePublished": "2024-08-01T21:56:27.877Z",
        "dateReserved": "2024-06-26T21:18:49.917Z",
        "dateUpdated": "2026-04-28T16:10:07.704Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37507 (GCVE-0-2024-37507)

    Vulnerability from cvelistv5 – Published: 2024-07-21 07:21 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress Eventin plugin <= 3.3.57 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Themewinter Eventin Affected: n/a , ≤ 3.3.57 (custom)
    Create a notification for this product.
    Credits
    justakazh (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37507",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-22T13:44:41.431606Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-22T20:29:12.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:57:39.538Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-3-3-57-cross-site-scripting-xss-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-event-solution",
              "product": "Eventin",
              "vendor": "Themewinter",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "4.0.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.3.57",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "justakazh (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.\u003cp\u003eThis issue affects Eventin: from n/a through 3.3.57.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:00.461Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-event-solution/wordpress-eventin-plugin-3-3-57-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 4.0.0 or a higher version."
                }
              ],
              "value": "Update to 4.0.0 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Eventin plugin \u003c= 3.3.57 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-37507",
        "datePublished": "2024-07-21T07:21:16.160Z",
        "dateReserved": "2024-06-09T13:11:08.416Z",
        "dateUpdated": "2026-04-28T16:10:00.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6033 (GCVE-0-2024-6033)

    Vulnerability from cvelistv5 – Published: 2024-07-17 06:45 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import
    Summary
    The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Peter Thaleikis
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6033",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T13:18:25.340637Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-18T13:39:16.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:03.214Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3117477/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
              "vendor": "arraytics",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Thaleikis"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the \u0027import_file\u0027 function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:19.652Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3117477/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-16T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6033",
        "datePublished": "2024-07-17T06:45:07.709Z",
        "dateReserved": "2024-06-15T00:10:45.498Z",
        "dateUpdated": "2026-04-08T16:37:19.652Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }