cbcvebase.
CVE-2025-47539
published 2025-05-23

CVE-2025-47539: Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <=…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
30.92%
98.0th percentile
Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.

Affected

2 ranges
VendorProductVersion rangeFixed in
arrayticseventin<= 4.0.26
themewintereventin< 4.0.274.0.27

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/eventin/v2/speakers/import?_locale=user
path/wp-content/plugins/eventin
  • Detect unauthenticated POST requests to the Eventin REST API speaker import endpoint; no authentication headers should be present and the multipart body should contain a 'role' field set to 'administrator' or other privileged roles.
  • Alert on HTTP 200 responses containing the string 'Successfully imported speaker' from the /wp-json/eventin/v2/speakers/import endpoint, indicating successful exploitation.
  • Inspect multipart/form-data uploads to the speakers/import endpoint for a JSON payload containing '"role": "administrator"', which indicates an attempt to escalate privileges via user import.
  • Monitor for new WordPress administrator accounts created without a corresponding authenticated session or admin action, especially accounts whose email domain matches external/OAST infrastructure.
  • Use the FOFA/Shodan fingerprint 'body=/wp-content/plugins/eventin' to identify exposed Eventin plugin instances for proactive patching or monitoring.
  • ·The vulnerability affects Eventin plugin versions up to and including 4.0.26; version 4.0.27 introduces the missing permission check. Detections should be scoped to sites running versions <= 4.0.26.
  • ·The exploit uses a multipart/form-data boundary of '----WebKitFormBoundaryS5Gx6VCxm3HMV2A9'; real-world attackers will likely use different boundary strings, so detection should not rely solely on this specific boundary value.
  • ·The PoC template uses randomised usernames and an OAST callback domain (oast.fun) for detection; production detections should not depend on these specific values as attackers will use arbitrary email domains.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.