A significant security flaw has been identified in the Eventin WordPress plugin, a widely used tool for event management functionalities. This vulnerability, designated as CVE-2025-47539, enables unauthenticated attackers to create administrator accounts without user interaction, thereby granting them full control over affected websites. With over 10,000 active installations, the potential impact of this flaw is substantial.
Discovery and Technical Details
The vulnerability was reported on April 19, 2025, through Patchstack’s Zero Day bug bounty program by security researcher Denver Jackson, who received a $600 reward for the discovery. The flaw resides in the plugin’s REST API endpoint responsible for handling speaker imports. Specifically, the `import_item_permissions_check()` function was implemented to return `true` without performing any actual permission validation:
“`php
public function import_item_permissions_check($request) {
return true;
}
“`
This oversight allows any unauthenticated user to access the endpoint. Coupled with the absence of role validation when processing imported user data, attackers can submit a CSV file containing their details with an administrator role specification:
“`php
$args = [
‘first_name’ => !empty($row[‘name’]) ? $row[‘name’] : ”,
// Other user details…
‘role’ => !empty($row[‘role’]) ? $row[‘role’] : ”,
];
“`
By exploiting this flaw, attackers can create administrator-level accounts and gain full control over the website.
Patch and Recommendations
Themewinter, the developer of Eventin, addressed the vulnerability in version 4.0.27, released on April 30, 2025. The update includes proper permission checks and restricts the allowed roles during user imports:
“`php
public function import_item_permissions_check($request) {
return current_user_can(‘etn_manage_organizer’) || current_user_can(‘etn_manage_event’);
}
“`
WordPress site administrators using the Eventin plugin are strongly advised to update to version 4.0.27 or later immediately. Those unable to update should consider temporarily disabling the plugin until updates can be applied, as the unauthenticated nature of this exploit makes it particularly dangerous in the wild.
Broader Context
This incident underscores the critical importance of regular updates and vigilant security practices for WordPress site administrators. Similar vulnerabilities have been discovered in other popular plugins, highlighting the need for continuous monitoring and prompt response to security advisories.
