Description
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2025-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to arbitrary PHP execution
Action: Patch Now
AI Analysis

Impact

The Eventin plugin for WordPress is vulnerable to Local File Inclusion through the 'style' parameter. This flaw allows authenticated users with Contributor privileges or higher to request the inclusion of any file on the server, enabling the execution of arbitrary PHP code. The resulting compromise can bypass role restrictions, disclose sensitive data, and allow full control over the affected WordPress installation.

Affected Systems

WordPress installations running the Eventin – Event Calendar, Event Registration, Tickets & Booking plugin by Arraytics, versions 4.0.24 and earlier.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, while the EPSS score is less than 1%, suggesting a low but nonzero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers need valid Contributor credentials to manipulate the 'style' parameter, making the risk primarily focused on sites with a large contributor base. The exploitation path relies on unsanitized input, typical of CWE-22, and can be achieved by submitting a crafted request that points the plugin to a PHP file stored in an upload directory or elsewhere on the server.

Generated by OpenCVE AI on April 21, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eventin to the latest release (4.0.25 or newer) where the LFI flaw is fixed.
  • If an upgrade is not immediately possible, revoke Contributor or higher role privileges from users who do not need access to the plugin’s configuration screens.
  • Implement strict input validation for the 'style' parameter so that only approved values are accepted, rejecting paths that contain directory traversal sequences.
  • Configure the server to store uploads outside the web root and disable PHP execution in the upload directory.

Generated by OpenCVE AI on April 21, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6746 The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Tue, 08 Jul 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Themewinter
Themewinter eventin
CPEs cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*
Vendors & Products Themewinter
Themewinter eventin

Thu, 20 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 20 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themewinter Eventin
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:18.670Z

Reserved: 2025-02-28T00:09:15.655Z

Link: CVE-2025-1770

cve-icon Vulnrichment

Updated: 2025-03-20T15:11:13.375Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-20T06:15:22.903

Modified: 2025-07-08T16:38:54.230

Link: CVE-2025-1770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses