cbcvebase.
CVE-2025-47445
published 2025-05-14

CVE-2025-47445: Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.65%
90.6th percentile
Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.

Affected

2 ranges
VendorProductVersion rangeFixed in
arrayticseventin<= 4.0.26
themewintereventin< 4.0.274.0.27

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=proxy_image&url=/etc/passwd
path/wp-admin/admin-ajax.php
otheraction=proxy_image
yara
rule CVE_2025_47445_Eventin_PathTraversal { strings: $req = "action=proxy_image" $lfi1 = "/etc/passwd" $lfi2 = "/windows/win.ini" condition: $req and ($lfi1 or $lfi2) }
sigma
title: CVE-2025-47445 Eventin Arbitrary File Download
status: experimental
description: Detects path traversal exploitation of WordPress Eventin plugin via proxy_image action
logsource:
  category: webserver
detection:
  selection:
    cs-uri-stem|contains: '/wp-admin/admin-ajax.php'
    cs-uri-query|contains: 'action=proxy_image'
    cs-uri-query|contains|any:
      - '/etc/passwd'
      - '/windows/win.ini'
      - '../'
  condition: selection
falsepositives:
  - None expected
level: high
tags:
  - cve.2025.47445
  • Exploit is unauthenticated (no privileges or user interaction required); monitor for POST requests to /wp-admin/admin-ajax.php with action=proxy_image and a url parameter containing path traversal sequences or sensitive file paths.
  • A successful exploitation response for Linux targets will match the regex 'root:.*:0:0:' (content of /etc/passwd); for Windows targets look for '[fonts]', '[extensions]', or '[files]' in the response body (content of win.ini).
  • HTTP 400 status code is also used as a positive match indicator in the PoC template alongside the file-content regex, suggesting the endpoint may return 400 even on successful file read; correlate status with response body content.
  • Shodan dork 'html:"wp-event-solution"' can be used to identify internet-exposed instances of the vulnerable plugin for asset discovery.
  • Affected versions are Eventin (wp-event-solution) n/a through 4.0.26; version 4.0.27 or later is patched. Fingerprint plugin version via readme.txt or plugin header to identify vulnerable installs.
  • ·The PoC uses two payloads (/etc/passwd and /windows/win.ini) with stop-at-first-match, meaning only one request is sent per target once a match is found; detection rules should account for either payload being used independently.
  • ·The vulnerability is a relative path traversal (CWE-23), not a classic ../ traversal; WAF rules relying solely on '../' detection may miss exploitation attempts that use direct absolute paths in the url parameter.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.