Arbitrary File Read Vulnerability in Eventin Plugin for WordPress
CVE-2025-3419

7.5HIGH

Key Information:

Vendor: WordPress
Status: Event Manager, Events Calendar, Tickets, Registrations – Eventin
Vendor: CVE Published:; 8 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-3419?

The Eventin plugin for WordPress is susceptible to an arbitrary file read vulnerability due to an improper implementation in the proxy_image() function. This security flaw affects all versions up to and including 4.0.26, enabling unauthenticated attackers to exploit the vulnerability and access sensitive files on the server. Such unauthorized access could lead to the disclosure of critical information, compromising the overall security of the WordPress site.

Affected Version(s)

Event Manager, Events Calendar, Tickets, Registrations – Eventin * <= 4.0.26

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-3419
Created by Yucaerin

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3284545/wp-e...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 6, 2025
👾
Exploit known to exist
Jun 6, 2025
Vulnerability published
May 8, 2025
Vulnerability Reserved
Apr 7, 2025

Credit

Michael Mazzolini