Arbitrary File Read Vulnerability in Eventin Plugin for WordPress
CVE-2025-3419
What is CVE-2025-3419?
The Eventin plugin for WordPress is susceptible to an arbitrary file read vulnerability due to an improper implementation in the proxy_image() function. This security flaw affects all versions up to and including 4.0.26, enabling unauthenticated attackers to exploit the vulnerability and access sensitive files on the server. Such unauthorized access could lead to the disclosure of critical information, compromising the overall security of the WordPress site.
Affected Version(s)
Event Manager, Events Calendar, Tickets, Registrations – Eventin * <= 4.0.26
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved