CVE-2025-47539
published 2025-05-23CVE-2025-47539: Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <=…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
30.92%
98.0th percentile
Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arraytics | eventin | <= 4.0.26 | — |
| themewinter | eventin | < 4.0.27 | 4.0.27 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the Eventin REST API speaker import endpoint; no authentication headers should be present and the multipart body should contain a 'role' field set to 'administrator' or other privileged roles. ↗
- →Alert on HTTP 200 responses containing the string 'Successfully imported speaker' from the /wp-json/eventin/v2/speakers/import endpoint, indicating successful exploitation. ↗
- →Inspect multipart/form-data uploads to the speakers/import endpoint for a JSON payload containing '"role": "administrator"', which indicates an attempt to escalate privileges via user import. ↗
- →Monitor for new WordPress administrator accounts created without a corresponding authenticated session or admin action, especially accounts whose email domain matches external/OAST infrastructure. ↗
- →Use the FOFA/Shodan fingerprint 'body=/wp-content/plugins/eventin' to identify exposed Eventin plugin instances for proactive patching or monitoring. ↗
- ·The vulnerability affects Eventin plugin versions up to and including 4.0.26; version 4.0.27 introduces the missing permission check. Detections should be scoped to sites running versions <= 4.0.26. ↗
- ·The exploit uses a multipart/form-data boundary of '----WebKitFormBoundaryS5Gx6VCxm3HMV2A9'; real-world attackers will likely use different boundary strings, so detection should not rely solely on this specific boundary value. ↗
- ·The PoC template uses randomised usernames and an OAST callback domain (oast.fun) for detection; production detections should not depend on these specific values as attackers will use arbitrary email domains. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqj4-2vw3-c5jw: Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation
ghsa_unreviewed·2025-05-23
CVE-2025-47539 [CRITICAL] CWE-266 GHSA-wqj4-2vw3-c5jw: Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation
Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation. This issue affects Eventin: from n/a through 4.0.26.
VulnCheck
Eventin Plugin REST API Privilege Escalation Vulnerbaility
vulncheck·2025
CVE-2025-47539 Eventin Plugin REST API Privilege Escalation Vulnerbaility
Eventin Plugin REST API Privilege Escalation Vulnerbaility
A privilege escalation vulnerability is present in the Eventin plugin due to lack of permission checking in the /wp-json/eventin/v2/speakers/import REST API endpoint. This occurs when importing the user due to lack of permission validation of user roles.
Affected: Themewinter Eventin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-privilege-escalation-vulnerability; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-13&host_type=src&vulnerability=cve-2025-475
No detection rules found.
Nuclei
Eventin <= 4.0.26 - Privilege Escalation
nuclei·CVSS 9.8
CVE-2025-47539 Eventin <= 4.0.26 - Privilege Escalation
Eventin <= 4.0.26 - Privilege Escalation
The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.
Template:
id: CVE-2025-47539
info:
name: Eventin <= 4.0.26 - Privilege Escalation
author: pdresearch
severity: critical
description: |
The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.
impact: |
Unauthenticated at
No writeups or analysis indexed.
2025-05-23
Published
Exploited in the wild