Refine your search
10 vulnerabilities found for Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) by arraytics
CVE-2026-4109 (GCVE-0-2026-4109)
Vulnerability from cvelistv5
Published
2026-04-14 07:43
Modified
2026-04-14 13:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.1.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:00:31.579916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:00:42.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin \u2013 Events Calendar, Event Booking, Ticket \u0026 Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T07:43:03.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3501510/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-13T10:55:54.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-13T18:46:40.000Z",
"value": "Disclosed"
}
],
"title": "Eventin \u2013 Events Calendar, Event Booking, Ticket \u0026 Registration (AI Powered) \u003c= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4109",
"datePublished": "2026-04-14T07:43:03.588Z",
"dateReserved": "2026-03-13T10:40:12.586Z",
"dateUpdated": "2026-04-14T13:00:42.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14657 (GCVE-0-2025-14657)
Vulnerability from cvelistv5
Published
2026-01-09 07:22
Modified
2026-04-08 17:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.51 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:07:15.776405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:07:23.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.51",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin \u2013 Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027post_settings\u0027 function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the \u0027etn_primary_color\u0027 setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:31.164Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-13T12:42:56.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:45:19.000Z",
"value": "Disclosed"
}
],
"title": "Eventin \u2013 Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) \u003c= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via \u0027post_settings\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14657",
"datePublished": "2026-01-09T07:22:12.728Z",
"dateReserved": "2025-12-13T12:25:43.872Z",
"dateUpdated": "2026-04-08T17:29:31.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7813 (GCVE-0-2025-7813)
Vulnerability from cvelistv5
Published
2025-08-23 05:48
Modified
2026-04-08 17:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.37 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-25T18:42:58.815701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T18:43:09.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gai Tanaka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Events Calendar, Event Booking, Registrations and Event Tickets \u2013 Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:13:37.374Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451"
},
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-22T17:41:53.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Booking, Registrations and Tickets \u2013 Eventin \u003c= 4.0.37 - Unauthenticated Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-7813",
"datePublished": "2025-08-23T05:48:19.990Z",
"dateReserved": "2025-07-18T15:45:12.183Z",
"dateUpdated": "2026-04-08T17:13:37.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4796 (GCVE-0-2025-4796)
Vulnerability from cvelistv5
Published
2025-08-08 18:26
Modified
2026-04-08 17:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.34 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T18:57:51.340619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T18:58:03.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.34",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user\u0027s identity or capability prior to updating their details like email in the \u0027Eventin\\Speaker\\Api\\SpeakerController::update_item\u0027 function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:41.513Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0d441d-1da5-45e7-8a14-ce178099c0cc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.28/core/speaker/Api/SpeakerController.php#L419"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3336972/wp-event-solution/trunk/core/speaker/Api/SpeakerController.php#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-15T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-15T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-08-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Eventin \u003c= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-4796",
"datePublished": "2025-08-08T18:26:26.586Z",
"dateReserved": "2025-05-15T17:20:16.666Z",
"dateUpdated": "2026-04-08T17:11:41.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3419 (GCVE-0-2025-3419)
Vulnerability from cvelistv5
Published
2025-05-08 05:22
Modified
2026-04-08 16:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.26 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T14:11:17.752616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T14:12:20.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.26",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:48.311Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-07T16:25:44.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.26 - Unauthenticated Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3419",
"datePublished": "2025-05-08T05:22:51.039Z",
"dateReserved": "2025-04-07T14:50:06.932Z",
"dateUpdated": "2026-04-08T16:36:48.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1766 (GCVE-0-2025-1766)
Vulnerability from cvelistv5
Published
2025-03-20 05:22
Modified
2026-04-08 17:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.24 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T15:10:46.195717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T15:10:55.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.24",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027payment_complete\u0027 function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to \u0027completed\u0027, possibly resulting in financial loss."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:40.671Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"
},
{
"url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3257023/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-19T17:03:39.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1766",
"datePublished": "2025-03-20T05:22:35.308Z",
"dateReserved": "2025-02-27T19:26:34.096Z",
"dateUpdated": "2026-04-08T17:32:40.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1770 (GCVE-0-2025-1770)
Vulnerability from cvelistv5
Published
2025-03-20 05:22
Modified
2026-04-08 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.24 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T15:11:08.732933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T15:11:17.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.24",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the \u0027style\u0027 parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:18.670Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24baee-7003-449b-9072-d95fa1e26c8f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/upcoming-event-tab/style/tab-1.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/widgets/events-calendar/events-calendar.php#L715"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3257023/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-19T17:03:49.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.24 - Authenticated (Contributor+) Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1770",
"datePublished": "2025-03-20T05:22:34.878Z",
"dateReserved": "2025-02-28T00:09:15.655Z",
"dateUpdated": "2026-04-08T16:56:18.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7149 (GCVE-0-2024-7149)
Vulnerability from cvelistv5
Published
2024-09-27 13:52
Modified
2026-04-08 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.8 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:themewinter:eventin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eventin",
"vendor": "themewinter",
"versions": [
{
"lessThanOrEqual": "4.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T15:03:13.900374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T16:21:52.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:18.970Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75537b61-5622-4b35-b80e-389526bd99f0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/speakers/speakers.php#L483"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events/events.php#L754"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule/schedule.php#L368"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule-list/schedule-list.php#L293"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events-tab/style/tab-1.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3157415/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.8 - Authenticated (Contributor+) Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7149",
"datePublished": "2024-09-27T13:52:55.422Z",
"dateReserved": "2024-07-26T21:05:54.791Z",
"dateUpdated": "2026-04-08T17:01:18.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6033 (GCVE-0-2024-6033)
Vulnerability from cvelistv5
Published
2024-07-17 06:45
Modified
2026-04-08 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 4.0.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T13:18:25.340637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:39:16.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:03.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3117477/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the \u0027import_file\u0027 function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:37:19.652Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3117477/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin \u003c= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Event Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6033",
"datePublished": "2024-07-17T06:45:07.709Z",
"dateReserved": "2024-06-15T00:10:45.498Z",
"dateUpdated": "2026-04-08T16:37:19.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1122 (GCVE-0-2024-1122)
Vulnerability from cvelistv5
Published
2024-02-09 04:31
Modified
2026-04-08 16:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) |
Version: 0 ≤ 3.3.50 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:26:30.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3033231/wp-event-solution/tags/3.3.51/core/admin/hooks.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T17:36:10.992983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T17:36:57.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets \u0026 Booking (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "3.3.50",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Manager, Events Calendar, Events Tickets for WooCommerce \u2013 Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:10.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3033231/wp-event-solution/tags/3.3.51/core/admin/hooks.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Manager, Events Calendar, Events Tickets for WooCommerce \u2013 Eventin \u003c= 3.3.50 - Missing Authorization to Unauthenticated Events Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1122",
"datePublished": "2024-02-09T04:31:53.959Z",
"dateReserved": "2024-01-31T13:47:34.673Z",
"dateUpdated": "2026-04-08T16:35:10.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}