Local File Inclusion Vulnerability in Event Manager Plugin for WordPress by Eventin
CVE-2025-1770

8.8HIGH

Key Information:

Vendor
WordPress
Status
Eventin – Event Manager, Events Calendar, Event Tickets And Registrations
Vendor
CVE Published:
20 March 2025

Summary

The Event Manager plugin for WordPress is susceptible to Local File Inclusion through the 'style' parameter in versions up to 4.0.24. Authenticated users with Contributor-level access or higher can exploit this vulnerability, allowing them to include and execute arbitrary PHP files on the server. This issue can lead to unauthorised access, sensitive data leakage, and even the execution of malicious code if users are able to upload seemingly safe files such as images.

Affected Version(s)

Eventin – Event Manager, Events Calendar, Event Tickets and Registrations * <= 4.0.24

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-event-solut...
https://plugins.trac.wordpress.org/browser/wp-event-solut...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.
CVE-2025-1770 : Local File Inclusion Vulnerability in Event Manager Plugin for WordPress by Eventin | SecurityVulnerability.io