Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
Published: 2025-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper control of a filename used in a PHP include/require statement. It permits a Local File Inclusion that may allow attackers to read sensitive files or execute arbitrary code. The weakness is identified as CWE‑98.

Affected Systems

The plugin "Eventin" by Arraytics, bundled as a WordPress plugin, is affected in all versions from the first release through 4.0.25, inclusive. Newer releases (4.0.26 and beyond) are presumed fixed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is below 1 %, meaning the current likelihood of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation typically requires an attacker to supply a crafted filename or path that the plugin will include. An attacker who can influence that input could read local files or potentially run code if the plugin does not properly validate the path.

Generated by OpenCVE AI on April 30, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eventin plugin to the latest version (4.0.26 or later).
  • If an upgrade is not immediately possible, disable the Eventin plugin until a patch is available.
  • Review the plugin source to ensure that any include or require calls are restricted to a safe, predetermined directory and that filenames are not derived directly from user input.

Generated by OpenCVE AI on April 30, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11296 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion. This issue affects Eventin: from n/a through 4.0.25.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion. This issue affects Eventin: from n/a through 4.0.25. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
Title WordPress Eventin <= 4.0.25 - Local File Inclusion Vulnerability WordPress Eventin plugin <= 4.0.25 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion. This issue affects Eventin: from n/a through 4.0.25.
Title WordPress Eventin <= 4.0.25 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themewinter Eventin
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:35.217Z

Reserved: 2025-04-16T06:26:44.221Z

Link: CVE-2025-39584

cve-icon Vulnrichment

Updated: 2025-04-16T14:28:01.212Z

cve-icon NVD

Status : Modified

Published: 2025-04-16T13:15:51.270

Modified: 2026-04-23T15:29:50.143

Link: CVE-2025-39584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:00:04Z

Weaknesses