CVE-2025-47445
published 2025-05-14CVE-2025-47445: Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.65%
90.6th percentile
Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arraytics | eventin | <= 4.0.26 | — |
| themewinter | eventin | < 4.0.27 | 4.0.27 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2025_47445_Eventin_PathTraversal { strings: $req = "action=proxy_image" $lfi1 = "/etc/passwd" $lfi2 = "/windows/win.ini" condition: $req and ($lfi1 or $lfi2) }sigma↗
title: CVE-2025-47445 Eventin Arbitrary File Download
status: experimental
description: Detects path traversal exploitation of WordPress Eventin plugin via proxy_image action
logsource:
category: webserver
detection:
selection:
cs-uri-stem|contains: '/wp-admin/admin-ajax.php'
cs-uri-query|contains: 'action=proxy_image'
cs-uri-query|contains|any:
- '/etc/passwd'
- '/windows/win.ini'
- '../'
condition: selection
falsepositives:
- None expected
level: high
tags:
- cve.2025.47445- →Exploit is unauthenticated (no privileges or user interaction required); monitor for POST requests to /wp-admin/admin-ajax.php with action=proxy_image and a url parameter containing path traversal sequences or sensitive file paths. ↗
- →A successful exploitation response for Linux targets will match the regex 'root:.*:0:0:' (content of /etc/passwd); for Windows targets look for '[fonts]', '[extensions]', or '[files]' in the response body (content of win.ini). ↗
- →HTTP 400 status code is also used as a positive match indicator in the PoC template alongside the file-content regex, suggesting the endpoint may return 400 even on successful file read; correlate status with response body content. ↗
- →Shodan dork 'html:"wp-event-solution"' can be used to identify internet-exposed instances of the vulnerable plugin for asset discovery. ↗
- →Affected versions are Eventin (wp-event-solution) n/a through 4.0.26; version 4.0.27 or later is patched. Fingerprint plugin version via readme.txt or plugin header to identify vulnerable installs. ↗
- ·The PoC uses two payloads (/etc/passwd and /windows/win.ini) with stop-at-first-match, meaning only one request is sent per target once a match is found; detection rules should account for either payload being used independently. ↗
- ·The vulnerability is a relative path traversal (CWE-23), not a classic ../ traversal; WAF rules relying solely on '../' detection may miss exploitation attempts that use direct absolute paths in the url parameter. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c3pr-284f-8x9f: Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal
ghsa_unreviewed·2025-05-14
CVE-2025-47445 [HIGH] CWE-23 GHSA-c3pr-284f-8x9f: Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal
Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
VulnCheck
Themewinter Eventin Relative Path Traversal Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-47445 [CRITICAL] Themewinter Eventin Relative Path Traversal Vulnerability
Themewinter Eventin Relative Path Traversal Vulnerability
Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
Affected: Themewinter Eventin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability; https://www.cve.org/CVERecord?id=CVE-2025-47445
No detection rules found.
Nuclei
WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
nuclei·CVSS 9.8
CVE-2025-47445 [CRITICAL] WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction.
Template:
id: CVE-2025-47445
info:
name: WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
author: hnd3884
severity: high
description: |
Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction.
impact: |
Attackers can access sensitive files on the server, potentially leading to information disclosure or system compromise.
remediation: |
Update to the latest version
2025-05-14
Published
Exploited in the wild