Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently mage-eventpress allows PHP Local File Inclusion.This issue affects WpEvently: from n/a through <= 4.2.9.
Published: 2025-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper limitation of a pathname in the WpEvently plugin allows an attacker to perform a PHP local file inclusion by crafting a path traversal string. This can potentially lead to arbitrary code execution or disclosure of sensitive information. The weakness is identified as CWE‑22, which characterizes untrusted path manipulation.

Affected Systems

The WpEvently plugin (mage-eventpress) from any released version through 4.2.9 is affected. This includes installations on WordPress sites that have not upgraded beyond the 4.2.9 release or to a later patched version. The vendor responsible for this plugin is magepeopleteam.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for this vulnerability. The EPSS score is reported as less than 1%, suggesting that the likelihood of widespread exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need to send a specially crafted request to the plugin’s input handling endpoint that does not properly resolve relative paths, or exploit a local file system path that the server can access. The attack vector is therefore likely remote, but it depends on the plugin’s exposed interfaces.

Generated by OpenCVE AI on May 1, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WpEvently plugin to a version newer than 4.2.9 where the path traversal issue is resolved
  • If an immediate upgrade is not possible, temporarily disable the WpEvently plugin to prevent exploitation
  • Review and restrict file permissions on the web server so that only necessary files are accessible via the plugin’s input paths and configure a web application firewall to block path traversal patterns

Generated by OpenCVE AI on May 1, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8306 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently allows PHP Local File Inclusion. This issue affects WpEvently: from n/a through 4.2.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently allows PHP Local File Inclusion. This issue affects WpEvently: from n/a through 4.2.9. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently mage-eventpress allows PHP Local File Inclusion.This issue affects WpEvently: from n/a through <= 4.2.9.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in magepeopleteam WpEvently allows PHP Local File Inclusion. This issue affects WpEvently: from n/a through 4.2.9.
Title WordPress WpEvently Plugin <= 4.2.9 - PHP Object Injection vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.892Z

Reserved: 2025-03-26T09:21:31.390Z

Link: CVE-2025-30895

cve-icon Vulnrichment

Updated: 2025-03-27T19:39:36.304Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:50.470

Modified: 2026-04-23T15:27:16.950

Link: CVE-2025-30895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')