Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Published: 2026-01-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Stored XSS
Action: Immediate Patch
AI Analysis

Impact

Eventin – Event Manager, Events Calendar, Event Tickets and Registrations for WordPress has a missing capability check on the 'post_settings' function that lets attackers change plugin configuration without authentication. Using this flaw they can also inject scripts through the 'etn_primary_color' setting because the input is not sanitized or escaped. These actions give the attacker arbitrary script execution when any user loads a page that includes Eventin styles. The vulnerability is classified as missing authorization (CWE‑862).

Affected Systems

WordPress sites running Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) version 4.0.51 or earlier are affected. The plugin is supplied by arraytics and is available via the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 7.2 indicates a high impact combined with a medium to high exploitation potential, but the EPSS score of <1% shows that it is presently unlikely to be widely exploited. It is not listed in CISA KEV. The attack vector is through unauthenticated HTTP requests to the plugin’s API endpoint – attackers construct a call to 'post_settings', supply malicious values for 'etn_primary_color', and register the changes, leading to script execution for all site visitors. No network privilege or local access is required and the flaw can be used over normal HTTPS traffic.

Generated by OpenCVE AI on April 20, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Eventin to the latest released version (4.0.52 or later) that enforces capability checks on the 'post_settings' endpoint and sanitizes the 'etn_primary_color' input.
  • If an update is not possible, restrict unauthenticated access to the 'post_settings' API endpoint, for example by adding a WordPress capability requirement or by implementing IP whitelisting or a firewall rule that blocks unauthenticated calls to that endpoint.
  • Deploy a temporary workaround by resetting the 'etn_primary_color' setting to a neutral, safe value, removing any custom scripts, and applying a strict Content Security Policy that blocks script execution from inline or external sources on pages that load Eventin styles.

Generated by OpenCVE AI on April 20, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics eventin
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics eventin
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Title Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Arraytics Eventin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:31.164Z

Reserved: 2025-12-13T12:25:43.872Z

Link: CVE-2025-14657

cve-icon Vulnrichment

Updated: 2026-01-09T18:07:20.140Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T08:15:57.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses