Description
Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
Published: 2025-05-14
Score: 7.5 High
EPSS: 8.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Arraytics Eventin allows an attacker to manipulate the file path used by the plugin’s download routine, resulting in the server serving any file on the filesystem. This path‑traversal flaw, classified as CWE‑23, can expose sensitive files such as configuration files or logs. No evidence in the description suggests privilege escalation or code execution; the impact is limited to disclosure of data that resides on the file system of the host running WordPress.

Affected Systems

WordPress sites that install the Arraytics Eventin plugin version 4.0.26 or earlier are affected. All instances of the plugin delivered through the wp‑event‑solution package fall under this risk, regardless of other plugins or WordPress core version.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate to high severity, while the EPSS score of 9% shows a relatively significant likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by targeting the plugin’s download endpoint with a URL that includes a traversal sequence such as ../../../../etc/passwd. The description does not state any authentication or privilege requirement, so the attack is presumed to be possible against public interfaces of the host. If successful, the attacker can obtain arbitrary files, potentially exposing confidential information and compromising site integrity.

Generated by OpenCVE AI on May 2, 2026 at 08:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eventin to the latest version that fixes the path traversal flaw (any release after 4.0.26).
  • If an upgrade is not immediately possible, disable or remove the plugin’s file download endpoint or alter the code to reject any request containing relative path components such as "../" before processing.
  • Configure a web application firewall or server rule set to block HTTP requests that contain traversal sequences targeting the Eventin download endpoint.

Generated by OpenCVE AI on May 2, 2026 at 08:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14869 Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26. Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
Title WordPress Eventin <= 4.0.26 - Arbitrary File Download Vulnerability WordPress Eventin plugin <= 4.0.26 - Arbitrary File Download Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 Aug 2025 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*

Wed, 14 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 May 2025 11:45:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
Title WordPress Eventin <= 4.0.26 - Arbitrary File Download Vulnerability
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themewinter Eventin
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:16:18.055Z

Reserved: 2025-05-07T09:38:32.079Z

Link: CVE-2025-47445

cve-icon Vulnrichment

Updated: 2025-05-14T13:27:26.754Z

cve-icon NVD

Status : Modified

Published: 2025-05-14T12:15:19.660

Modified: 2026-04-23T15:30:13.730

Link: CVE-2025-47445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses