Plataforma
wordpress
Componente
wp-event-solution
Corregido en
4.0.38
CVE-2025-7813 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Eventin WordPress plugin, a popular tool for event calendar, registration, and ticketing management. This flaw allows unauthenticated attackers to initiate web requests from the plugin, potentially exposing internal resources or manipulating data. The vulnerability impacts versions from 0.0.0 through 4.0.37, and a patch is available from the vendor.
The SSRF vulnerability in Eventin allows an attacker to craft malicious requests that appear to originate from the plugin itself. This can be exploited to query internal services that are not directly accessible from the outside world. For example, an attacker could attempt to access administrative interfaces, database servers, or other sensitive resources within the WordPress environment. Successful exploitation could lead to data breaches, unauthorized access, and potentially even complete compromise of the web server. The lack of authentication required for exploitation significantly increases the attack surface and potential impact.
CVE-2025-7813 was publicly disclosed on 2025-08-23. There is currently no indication of active exploitation campaigns targeting this vulnerability. The CVSS score of 7.2 (HIGH) reflects the potential impact and ease of exploitation. No KEV listing is currently available. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge.
Websites utilizing the Eventin plugin for event management, particularly those with internal services accessible from the web server, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'proxy_image' /var/www/html/wp-content/plugins/eventin/• generic web:
curl -I <wordpress_site_url>/wp-content/plugins/eventin/proxy_image?url=http://localhost:8080 # Check for internal resource accessdisclosure
Estado del Exploit
EPSS
0.15% (36% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-7813 is to immediately upgrade the Eventin plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to potentially sensitive internal resources. Additionally, restrict network access to the WordPress server to only necessary ports and services. Monitor WordPress logs for unusual outbound requests originating from the Eventin plugin, specifically looking for requests to internal IP addresses or unusual domains. A YARA rule could be created to detect the vulnerable proxy_image function in the plugin’s codebase.
Actualice el plugin Eventin a la última versión disponible para mitigar la vulnerabilidad de Falsificación de Solicitud Remota del Servidor. Esta actualización corrige la función proxy_image, evitando que atacantes no autenticados realicen solicitudes web arbitrarias desde la aplicación.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-7813 is a Server-Side Request Forgery vulnerability affecting the Eventin WordPress plugin, allowing attackers to make requests from the plugin itself.
If you are using Eventin plugin versions 0.0.0 through 4.0.37, you are potentially affected by this vulnerability.
Upgrade the Eventin plugin to a patched version. If immediate upgrade is not possible, implement WAF rules and restrict network access.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes it a potential target.
Refer to the Eventin plugin developer's website or WordPress plugin repository for the official advisory and patch information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.