← back to popular plugins
wordfence / plugin · wp-event-solution
Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
wp-event-solution
total installs
10,000
total vulns
14
critical
1
high
9
medium
4
low
0
latest vuln
—
patched
14
unpatched
0
avg time to patch
—
vulnerabilities
(14)
Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) <= 4.1.8 - Missing Authorization
medium
✓ patched
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
medium
✓ patched
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Eventin <= 4.1.3 - Authenticated (Contributor+) PHP Object Injection
high
✓ patched
cve id
CVE-2025-68047 ↗
cvss score
7.5
cwe
CWE-502: Deserialization of Untrusted Data
published
Jan 22, 2026
The Eventin plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.1.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'
high
✓ patched
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery
high
✓ patched
cve id
CVE-2025-7813 ↗
cvss score
7.2
cwe
CWE-918: Server-Side Request Forgery (SSRF)
published
Aug 22, 2025
The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Eventin <= 4.0.31 - Authenticated (Contributor+) PHP Object Injection
high
✓ patched
cve id
CVE-2025-49869 ↗
cvss score
7.5
cwe
CWE-502: Deserialization of Untrusted Data
published
Aug 13, 2025
The Eventin plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.0.31 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
high
✓ patched
cve id
CVE-2025-4796 ↗
cvss score
8.8
cwe
CWE-639: Authorization Bypass Through User-Controlled Key
published
Aug 8, 2025
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Eventin <= 4.0.28 - Reflected Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-49321 ↗
cvss score
6.1
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Jun 23, 2025
The Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read
high
✓ patched
cve id
CVE-2025-3419 ↗
cvss score
7.5
cwe
CWE-73: External Control of File Name or Path
published
May 7, 2025
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
Eventin <= 4.0.26 - Missing Authorization to Unauthenticated Privilege Escalation
critical
✓ patched
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_items() function in all versions up to, and including, 4.0.26. This makes it possible for unauthenticated attackers to import users that can have the administrator role leading to privilege escalation.
Eventin <= 4.0.25 - Authenticated (Contributor+) Local File Inclusion
high
✓ patched
cve id
CVE-2025-39584 ↗
cvss score
8.8
cwe
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
published
Apr 16, 2025
The Eventin plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.0.25 via the 'events_tab' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion
high
✓ patched
cve id
CVE-2025-1770 ↗
cvss score
8.8
cwe
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
published
Mar 19, 2025
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update
medium
✓ patched
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
Eventin <= 4.0.20 - Authenticated (Contributor+) Local File Inclusion
high
✓ patched
cve id
CVE-2025-26964 ↗
cvss score
8.8
cwe
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
published
Feb 23, 2025
The Eventin plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.0.20. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.