Description
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Published: 2025-08-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Eventin plugin for WordPress contains a fault that allows any authenticated user with contributor-level privileges or higher to modify the email address of any other user. By changing an administrator’s email, the attacker can trigger a password reset and subsequently access the administrator account. This bypasses normal authorization controls and grants the attacker full control over the site, directly contradicting the intended role restrictions. The weakness corresponds to a failure of proper identity validation and is classified as a privilege escalation flaw.

Affected Systems

WordPress sites running the Eventin plugin, versions 4.0.34 and earlier. The vulnerability is present in the SpeakerController update_item routine in the core files of the plugin; affected users include all registered WordPress accounts, with administrators being the most critical targets.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity, while an EPSS score of less than 1% indicates that exploitation is currently rare but still possible. The vulnerability is not listed in the CISA KEV catalog, yet it can be exploited by any contributor+ user, a role that is commonly available on multi‑user WordPress installations. Exploitation requires no special skills beyond making a request to the API endpoint that updates speaker details; the lack of identity checks makes the attack straightforward. The high CVSS combined with the potential for full account takeover makes immediate remediation essential.

Generated by OpenCVE AI on April 22, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eventin plugin to the latest released version (4.0.35 or newer).
  • If the upgrade cannot be performed immediately, temporarily remove contributor-level permissions from users until the update is applied.
  • Apply a temporary restriction on the API endpoint that updates speaker details so that only administrator or designated users can access it, blocking all contributor-level users until the vulnerability is patched.

Generated by OpenCVE AI on April 22, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24006 The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
History

Wed, 13 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Themewinter
Themewinter eventin
CPEs cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*
Vendors & Products Themewinter
Themewinter eventin

Tue, 12 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 08 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
Description The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Title Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themewinter Eventin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:41.513Z

Reserved: 2025-05-15T17:20:16.666Z

Link: CVE-2025-4796

cve-icon Vulnrichment

Updated: 2025-08-08T18:57:56.090Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-08T19:15:36.140

Modified: 2025-08-13T19:31:04.300

Link: CVE-2025-4796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses