A severe security flaw has been discovered in the popular WordPress plugin Eventin, putting over 10,000 websites at risk of full compromise. The vulnerability, tracked as CVE-2025-47539, allows attackers to create administrator accounts without any user interaction or login credentials.
Details of the Vulnerability
The flaw exists in an unsecured REST API endpoint used for speaker imports, specifically /wp-json/eventin/v2/speakers/import. The function responsible for permission checks, import_item_permissions_check(), was implemented to always return true, allowing any unauthenticated user to access it.
public function import_item_permissions_check($request) {
return true;
}This means attackers can send specially crafted requests to this endpoint and import user data with administrator privileges. The plugin failed to validate user roles during the import, letting attackers specify an admin role in the data:
$args = [
'first_name' => !empty($row['name']) ? $row['name'] : '',
// Other user details...
'role' => !empty($row['role']) ? $row['role'] : '',
];Impact and Risks
Once an attacker creates an administrator account, they can reset the password and gain full control over the affected site. This could lead to site defacement, data theft, malware injection, or the use of the compromised sites in larger botnet operations.
The Eventin plugin, developed by Themewinter, is widely used for event management on WordPress sites, making this vulnerability especially critical due to its broad adoption.
Discovery and Patch
The vulnerability was reported on April 19, 2025, by security researcher Denver Jackson through Patchstack’s Zero Day bug bounty program. Jackson received a $600 reward for the discovery.
The plugin developer released a patched version, 4.0.27, on April 30, 2025. This update implements proper permission checks and restricts allowed user roles during imports:
public function import_item_permissions_check($request) {
return current_user_can('etn_manage_organizer') || current_user_can('etn_manage_event');
}Recommendations for Site Owners
- Update immediately: WordPress administrators using Eventin should upgrade to version 4.0.27 or later without delay.
- Disable plugin temporarily: If immediate updating is not possible, consider disabling the Eventin plugin until the patch can be applied.
- Monitor site activity: Check for unauthorized admin accounts or suspicious activity in your WordPress dashboard.
- Implement security best practices: Use strong passwords, two-factor authentication, and limit plugin usage to trusted sources.
This vulnerability’s unauthenticated nature makes it especially dangerous, as attackers do not need to trick users or gain credentials to exploit it. Prompt action is essential to protect affected websites from potential takeover.
