A severe vulnerability has been uncovered in the highly popular WordPress event management plugin, Eventin, putting over 10,000 websites at risk of full site compromise.
The flaw, which received the tracking ID CVE-2025-47539, was originally discovered by Denver Jackson, a Patchstack Alliance community member, and responsibly disclosed through the Patchstack Zero Day bug bounty program.
As a result, the researcher was awarded $600 for his role in alerting the developer and broader WordPress ecosystem to the issue.
Unauthenticated Privilege Escalation Vulnerability
The vulnerability centers around a critical oversight in the REST API endpoint /wp-json/eventin/v2/speakers/import, which is responsible for importing speaker data into the plugin.
Despite having an apparent permission callback set via the import_item_permissions_check() function, the actual implementation of this function failed to enforce any real access control.
Rather than verifying the identity or privileges of users accessing the endpoint, it simply returned true, thereby allowing any unauthenticated individual to execute the import function.
This lack of access control opened the door to unauthenticated privilege escalation.
An attacker could construct a POST request to the vulnerable API endpoint, supplying a crafted CSV file that specifies a user with the administrator role.
The plugin’s user-import mechanism failed to restrict role assignment, blindly accepting the contents of the uploaded file.
As a consequence, a malicious actor could create an administrator-level account and, by resetting its password, gain complete control over the affected WordPress site.
Patchstack’s security analysis traced the vulnerability to the core logic of the plugin’s speaker import functionality, specifically within the import_items and create_speaker methods.
The flaw is notable not only for its severity but also for how easily it could be exploited: no authentication was required, and the privilege escalation could be performed with minimal technical skill.
Users Advised to Update Immediately
Upon receiving the responsible disclosure, the plugin’s vendor, Themewinter, acted swiftly to mitigate the risk.
Version 4.0.27 of Eventin implements a robust permission check within the import_item_permissions_check() function.
Additionally, a whitelist for user roles was introduced, ensuring that only legitimate and pre-approved roles could be assigned through the import process, effectively neutralizing the privilege escalation vector.
Users of the Eventin plugin are strongly advised to update to version 4.0.27 or newer as soon as possible.
According to Patchstack Report, their customers have already received protection against this vulnerability, requiring no further action.
However, the incident serves as a pointed reminder to all WordPress plugin developers about the importance of adhering to security best practices.
Implementing superficial security checks can provide a false sense of safety; deep code analysis and proper permission enforcement are essential, particularly in functions that involve user management or role assignment.
The widespread reach of the Eventin plugin and the critical nature of this vulnerability underscore the ongoing need for vigilance in WordPress plugin development and security auditing.
For those interested in participating in proactive security initiatives, Patchstack’s Zero Day bug bounty program continues to offer incentives for researchers dedicated to safeguarding the WordPress ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
