Description
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
Published: 2025-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read
Action: Patch Immediately
AI Analysis

Impact

The Eventin plugin for WordPress contains a vulnerability that allows unauthenticated attackers to read arbitrary files on the server through the proxy_image() function, exposing sensitive data. The flaw is a classic CWE-73 path traversal issue that can be exploited by sending crafted requests to the plugin’s proxy image endpoint, resulting in file disclosure without authentication.

Affected Systems

WordPress sites using the Eventin – Event Calendar, Tickets & Booking plugin from arraytics, version 4.0.26 or earlier. The vulnerability affects all WordPress installations that have the plugin enabled.

Risk and Exploitability

The CVSS score is 7.5 indicating a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can achieve disclosure of arbitrary files with no credentials, making the risk primarily to confidentiality. There are no known active exploits, but the existence of the flaw mandates remediation.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eventin plugin to version 4.0.27 or newer.
  • Disable the proxy_image() feature or block access to the proxy image endpoint through the web server configuration.
  • Limit file permissions for the web server user so that only necessary files are readable, and monitor server logs for suspicious read attempts.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13953 The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00087}

 epss

{'score': 0.00033}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00083}

 epss

{'score': 0.00087}

Wed, 04 Jun 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Themewinter
Themewinter eventin
CPEs cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*
Vendors & Products Themewinter
Themewinter eventin

Thu, 08 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 May 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themewinter Eventin
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:48.311Z

Reserved: 2025-04-07T14:50:06.932Z

Link: CVE-2025-3419

cve-icon Vulnrichment

Updated: 2025-05-08T14:11:33.581Z

cve-icon NVD

Status : Modified

Published: 2025-05-08T06:15:32.023

Modified: 2026-04-08T17:20:40.363

Link: CVE-2025-3419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses