CVE-2025-7813 - Vulnerability Details

- Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery

Description

The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Published: 2025-08-23

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Eventin plugin for WordPress contains an SSRF vulnerability in the proxy_image function that allows unauthenticated attackers to trigger web requests from the application to arbitrary URLs. This can expose internal resources or modify data on services reachable from the host, potentially leaking sensitive information or enabling further attacks such as credential compromise or denial of service. The weakness is classified as CWE‑918.

Affected Systems

The vulnerability affects the Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin version 4.0.37 and all earlier releases. The plugin is distributed by arraytics and installed via the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 7.2 categorizes the issue as a high‑severity risk. The EPSS score of less than 1% indicates that exploitation is considered unlikely at present, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would leverage the public proxy_image endpoint to issue requests to internal IPs or service endpoints, making the threat most relevant in environments where the WordPress site can reach sensitive internal services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

arraytics

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.0.37

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Eventin plugin to version 4.0.38 or later where the SSRF issue is fixed.
If an update is not immediately possible, remove or comment out the proxy_image function in the plugin’s code to block the vulnerable functionality.
Implement network-level controls or firewall rules to restrict outbound HTTP requests from the WordPress server to only trusted external destinations, thereby limiting the impact of any remaining SSRF vectors.

Generated by OpenCVE AI on April 20, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-25631	The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451
https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read

History

Mon, 25 Aug 2025 21:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 24 Aug 2025 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Sat, 23 Aug 2025 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title		Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451 https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-08-23T05:48:19.990Z

Updated: 2026-04-08T17:13:37.374Z

Reserved: 2025-07-18T15:45:12.183Z

Link: CVE-2025-7813

Vulnrichment

Updated: 2025-08-25T18:43:03.619Z

NVD

Status : Deferred

Published: 2025-08-23T06:15:29.607

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7813

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object