Vulnerabilities and security researches forwp-event-solution wp-event-solution
Direction: ascendingEvent Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-1122
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Feb 09, 2024
- Research Description
- The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.
- Affected versions
-
max 3.3.51.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # f4685f6f478a2942072b9c51ebe4f460c17ead60
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Dec 04, 2023
- Research Description
- Event Manager, Events Calendar, Tickets, Registrations – Eventin [wp-event-solution] < 3.3.53 WordPress Eventin Plugin <= 3.3.44 is vulnerable to Broken Access Control No patched version is available. Abdi Pranata discovered and reported this Broken Access Control vulnerability in WordPress Eventin Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has not been known to be fixed yet.
- Affected versions
-
max 3.3.53.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2023-49756
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Dec 09, 2024
- Research Description
- Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52.
- Affected versions
-
max 3.3.53.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-37507
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jul 21, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57.
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-6033
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jul 17, 2024
- Research Description
- The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
- Affected versions
-
max 4.0.5.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-39648
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Aug 02, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5.
- Affected versions
-
max 4.0.6.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-7149
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Sep 27, 2024
- Research Description
- The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- Affected versions
-
max 4.0.9.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2024-56213
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Dec 31, 2024
- Research Description
- Path Traversal: '.../...//' vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.7.
- Affected versions
-
max 4.0.9.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-26964
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Feb 25, 2025
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20.
- Affected versions
-
max 4.0.21.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-1766
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Mar 20, 2025
- Research Description
- The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
- Affected versions
-
max 4.0.25.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-1770
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Mar 20, 2025
- Research Description
- The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- Affected versions
-
max 4.0.25.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-39584
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Apr 16, 2025
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
- Affected versions
-
max 4.0.26.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-3419
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- May 08, 2025
- Research Description
- The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
- Affected versions
-
max 4.0.27.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-47445
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- May 14, 2025
- Research Description
- Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
- Affected versions
-
max 4.0.27.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-47539
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- May 23, 2025
- Research Description
- Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
- Affected versions
-
max 4.0.27.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-49321
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jun 27, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through <= 4.0.28.
- Affected versions
-
max 4.0.29.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-4796
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Aug 09, 2025
- Research Description
- The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
- Affected versions
-
max 4.0.35.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-49869
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Aug 14, 2025
- Research Description
- Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.0.31.
- Affected versions
-
max 4.0.32.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-68047
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jan 22, 2026
- Research Description
- Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3.
- Affected versions
-
max 4.1.4.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-14657
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jan 09, 2026
- Research Description
- The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
- Affected versions
-
max 4.0.52.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2026-4109
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Apr 14, 2026
- Research Description
- The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
- Affected versions
-
max 4.1.9.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2025-7813
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Aug 23, 2025
- Research Description
- The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
- Affected versions
-
max 4.0.38.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2026-40776
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jun 16, 2026
- Research Description
- Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
- Affected versions
-
max 4.1.9.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2026-12924
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jul 10, 2026
- Research Description
- The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.1.16.
- Status
-
vulnerable
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin # CVE-2026-13039
- CVE, Research URL
- Home page URL
-
Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
- Date
- Jul 11, 2026
- Research Description
- The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
- Affected versions
-
max 4.1.16.
- Status
-
vulnerable