Platform
wordpress
Component
wp-event-solution
Fixed in
4.0.25
CVE-2025-1770 describes a Local File Inclusion (LFI) vulnerability affecting the Eventin WordPress plugin. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions 0.0.0 through 4.0.24 of the Eventin plugin. A patch is expected from the vendor.
The primary impact of CVE-2025-1770 is the potential for remote code execution (RCE) on a WordPress server. An attacker, possessing only Contributor-level access, can exploit this vulnerability by crafting a malicious request that includes a PHP file containing arbitrary code. This code will then be executed by the web server, granting the attacker control over the server's processes. The attacker could then steal sensitive data, modify website content, install malware, or even gain complete control of the server. This vulnerability is particularly concerning because it requires only a low level of privilege to exploit, making it accessible to a wider range of attackers.
CVE-2025-1770 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the vulnerability's impact. The CVSS score of 8.8 indicates a high probability of exploitation if the vulnerability remains unpatched. The vulnerability's reliance on authenticated access, while a slight barrier, does not significantly reduce the overall risk.
Exploit Status
EPSS
0.55% (68% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-1770 is to upgrade the Eventin plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters in the 'style' parameter. Additionally, restrict file upload permissions to prevent attackers from uploading malicious PHP files. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin. After upgrade, confirm by attempting to access the vulnerable endpoint with a crafted request and verifying that it is blocked or returns an error.
Actualice el plugin Eventin a la última versión disponible. La vulnerabilidad de inclusión de archivos locales se ha solucionado en versiones posteriores a la 4.0.24. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1770 is a Local File Inclusion vulnerability in the Eventin WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Eventin plugin versions 0.0.0 through 4.0.24 and have users with Contributor-level access or higher.
Upgrade the Eventin plugin to a patched version as soon as it's available. Until then, implement WAF rules or restrict file upload permissions.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high likelihood of exploitation if unpatched.
Check the Eventin plugin developer's website and WordPress plugin repository for updates and advisories related to CVE-2025-1770.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.