cleantalk
Vulnerabilities and Security Researches

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin, CVE-2025-4796

CVE, Research URL

CVE-2025-4796

Home page URL

Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin

Application

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin

Published on
Aug 09, 2025
Research Description
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected versions
Min -, max 4.0.35.
Status
vulnerable
Previous vulnerability researches
Backup Bolt (CVE-2023-7236) , Jun 10, 2024
Backup Bolt (bc0c1fa51c016cd29c9a4fcba7b97da23cfc4c93) , Jun 11, 2024
New vulnerability
BaiduXZH Submit(百度熊掌号) (CVE-2025-49063) , Aug 10, 2025
Visit Counter (CVE-2025-49065) , Aug 10, 2025
OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) (CVE-2025-6572) , Aug 09, 2025
Prevent files / folders access (CVE-2025-53561) , Aug 09, 2025
Porn Videos Embed (CVE-2025-49061) , Aug 09, 2025