CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk 

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 5.00 out of 5)
Loading...
Critical Eventin Plugin Vulnerability

A severe zero-day vulnerability has been found in the widely used Eventin WordPress plugin (Themewinter), which puts over 10,000 websites at extreme risk for complete takeover.

CVE-2025-47539 is the identifier for the flaw, which permits unauthenticated privilege escalation, allowing users to create user accounts at the Administrator level without having access to WordPress before. 

What is CVE-2025-47539? 

CVE-2025-47539 is a REST API vulnerability, with a CVSS score of 9.8 (Critical). This vulnerability was discovered by Denver Jackson of the Patchstack Alliance and was responsibly disclosed through the Patchstack Zero Day Initiative, for which he received a $600 bug bounty. 

The vulnerability exists in the REST API endpoint: 

/wp-json/eventin/v2/speakers/import 

This endpoint is where users can import speaker data, typically from a CSV file. Because the permission check was flawed, the API had no way to restrict who can execute the import and create an administrator account. 

Root Cause: Incorrect permission callback  

The permission_callback function which occurs as the import_item_permissions_check() function was callbacks intended to restrict access to connected users with the proper capabilities; however, it was designed: 

public function import_item_permissions_check($request) { 
return true; 
} 

This allows anyone on the Internet, including unauthenticated users, to trigger the import function.No authentication, validation, or access control — allowing attackers to upload maliciously-crafted CSV files. 

How does the Exploit Work?

The attacker could exploit this vulnerability by crafting a POST request to the given endpoint and attaching a CSV file like this: 

username,email,role 
attacker,[email protected],administrator 

The backend import system can process the file with: 

$importer->import($file); 
$this->create_speaker(); 

Without access control or role validation in place by the plugin, the attacker could: 

  • Create a new admin user account. 
  • Reset the password (if so desired). 
  • Have full administrative control over the entire WordPress site. 

This in short means that the entire site has been compromised — the site’s admin dashboard was now in the attackers’ hands, including user details, user submissions, site files, and so forth. 

What Has Been Fixed? 

This vulnerability was patched in Eventin version 4.0.27. Among the key changes: 

Implementing a permission_callback function. In the permission callback function, they check that all users will have to be properly authenticated to access the import functionality. 

A whitelist of user roles, so only roles on the established white list could be assigned on the import — this therefore means arbitrary admin or custom roles cannot be created. 

What Should You Do Now? 

All administrators of any WordPress site that has the Eventin plugin installed should immediately take the following steps: 

  • Update the plugin to 4.0.27 or higher from your dashboard or Themewinter’s official site. 
  • Check your user list for old or suspicious admin accounts that aren’t attributable to you or someone with appropriate access.  
  • Change the passwords on all admin accounts to mitigate the possibility of hijacked admin accounts. 
  • Apply 2FA (Two-Factor Authentication) to admin accounts to reduce unauthorized access risk. 
  • Scrutinize your logs and security plugin for strange (and unusually frequent) POST requests to /wp-json/eventin/v2/speakers/import

Lessons for Plugin Developers 

The entire incident should be a strong reminder for all WordPress developers’ sake: 

  • Do not use permission_callback functions that always return true. 
  • REST API endpoints should have capability checks (e.g. current_user_can(‘manage_options’).). 
  • User import and user export features should validate roles, sanitize, and check who has permissions before acting. 

Security checks are not security. Security checks on their faces, may offer initial protections, but even the most superficial checks are offering a false sense of security – full code audits, testing, and product review must be part of our product lifecycle. 

Protect Your WordPress Site from All Attacks & Vulnerabilities

WordPress Security Services can protect you. Don’t wait for a breach before taking action! From malware removal and DDoS protection to real-time patching of vulnerabilities, SiteLock will keep your website secure 24/7.

Protect your business, protect your data, protect your reputation—get started with WordPress protection today! 

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.