{"id":3569,"date":"2025-05-20T08:40:01","date_gmt":"2025-05-20T08:40:01","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=3569"},"modified":"2025-05-20T08:40:02","modified_gmt":"2025-05-20T08:40:02","slug":"critical-eventin-wordpress-plugin-vulnerability-puts-10000-sites-at-risk","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/critical-eventin-wordpress-plugin-vulnerability-puts-10000-sites-at-risk\/","title":{"rendered":"CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk\u00a0"},"content":{"rendered":"\n

A severe zero-day vulnerability has been found in the widely used Eventin WordPress plugin (Themewinter), which puts over 10,000 websites at extreme risk for complete takeover. <\/p>\n\n\n\n

CVE-2025-47539 is the identifier for the flaw, which permits unauthenticated privilege escalation, allowing users to create user accounts at the Administrator level without having access to WordPress before. <\/p>\n\n\n\n

What is CVE-2025-47539? <\/h2>\n\n\n\n

CVE-2025-47539 is a REST API vulnerability, with a CVSS score of 9.8 (Critical). This vulnerability was discovered by Denver Jackson of the Patchstack Alliance and was responsibly disclosed through the Patchstack Zero Day Initiative, for which he received a $600 bug bounty. <\/p>\n\n\n\n

The vulnerability exists in the REST API endpoint: <\/strong><\/p>\n\n\n\n

\/wp-json\/eventin\/v2\/speakers\/import<\/em> <\/code><\/pre>\n\n\n\n
This endpoint is where users can import speaker data, typically from a CSV file. Because the permission check was flawed, the API had no way to restrict who can execute the import and create an administrator account. <\/p>\n\n\n\n
Root Cause: Incorrect permission callback  <\/h3>\n\n\n\n
The permission_callback function which occurs as the import_item_permissions_check() function was callbacks intended to restrict access to connected users with the proper capabilities; however, it was designed: <\/strong><\/p>\n\n\n\n
public function import_item_permissions_check($request) {<\/em> \nreturn true;<\/em> \n}<\/em> <\/code><\/pre>\n\n\n\n
This allows anyone on the Internet, including unauthenticated users, to trigger the import function.No authentication, validation, or access control \u2014 allowing attackers to upload maliciously-crafted CSV files. <\/p>\n\n\n\n
How does the Exploit Work?<\/h2>\n\n\n\n
The attacker could exploit this vulnerability by crafting a POST request to the given endpoint and attaching a CSV file like this: <\/p>\n\n\n\n
username,email,role<\/em> 
attacker,attacker@example.com,administrator<\/em> <\/p>\n\n\n\n
The backend import system can process the file with: <\/strong><\/p>\n\n\n\n
$importer->import($file); 
$this->create_speaker(); <\/p>\n\n\n\n
Without access control or role validation in place by the plugin, the attacker could: <\/strong><\/p>\n\n\n\n