Platform
wordpress
Component
wp-event-solution
Fixed in
4.0.38
CVE-2025-7813 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Eventin WordPress plugin, a popular tool for event calendar, registration, and ticketing management. This flaw allows unauthenticated attackers to initiate web requests from the plugin, potentially exposing internal resources or manipulating data. The vulnerability impacts versions from 0.0.0 through 4.0.37, and a patch is available from the vendor.
The SSRF vulnerability in Eventin allows an attacker to craft malicious requests that appear to originate from the plugin itself. This can be exploited to query internal services that are not directly accessible from the outside world. For example, an attacker could attempt to access administrative interfaces, database servers, or other sensitive resources within the WordPress environment. Successful exploitation could lead to data breaches, unauthorized access, and potentially even complete compromise of the web server. The lack of authentication required for exploitation significantly increases the attack surface and potential impact.
CVE-2025-7813 was publicly disclosed on 2025-08-23. There is currently no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 7.2 (HIGH) reflects the potential impact and ease of exploitation. No KEV listing is currently available. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-7813 is to immediately upgrade the Eventin plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to potentially sensitive internal resources. Additionally, restrict network access to the WordPress server to only necessary ports and services. Monitor WordPress logs for unusual outbound requests originating from the Eventin plugin, specifically looking for requests to internal IP addresses or unusual domains. A YARA rule could be created to detect the vulnerable proxy_image function in the plugin’s codebase.
Update the Eventin plugin to the latest available version to mitigate the Server-Side Request Forgery (SSRF) vulnerability. This update corrects the proxy_image function, preventing unauthenticated attackers from making arbitrary web requests from the application.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7813 is a Server-Side Request Forgery vulnerability affecting the Eventin WordPress plugin, allowing attackers to make requests from the plugin itself.
If you are using Eventin plugin versions 0.0.0 through 4.0.37, you are potentially affected by this vulnerability.
Upgrade the Eventin plugin to a patched version. If immediate upgrade is not possible, implement WAF rules and restrict network access.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it a potential target.
Refer to the Eventin plugin developer's website or WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.