The vulnerability is an Incorrect Privilege Assignment flaw that allows a user with reduced permissions to obtain higher‑level capabilities within the Eventin WordPress plugin. Because the flaw lies in how the plugin assigns and validates user roles, an attacker who can authenticate to the site with any non‑admin account can exploit the weak privilege checks to gain administrator rights. The vulnerability is a classic example of CWE‑266, resulting in unauthorized increase of privilege. The impact is complete loss of role‑based access control, enabling an attacker to modify site settings, access sensitive data, install additional plugins, and potentially compromise the entire WordPress installation.

Arraytics Eventin plugin for WordPress (wp‑event‑solution) is affected in all releases from the earliest available version through version 4.0.26. This includes any WordPress site that has the Eventin plugin installed at or below the stated version threshold. No other products or vendors are listed.

The CVSS score of 9.8 indicates critical severity. The EPSS score of 28% shows a relatively high probability that the flaw could be exploited in the wild at the time of assessment. The vulnerability is not yet listed in the CISA KEV catalog, but given its high impact it should be treated with the same urgency. Exploitation requires authentication as a low‑privilege user; the attacker can then use standard plugin administration actions to elevate privileges. The attack vector is likely local to the WordPress admin interface and does not require remote code execution or network access beyond normal site traffic.