CVE-2025-47539

Published May 23, 2025

Last updated 22 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-47539 affects the Eventin plugin for WordPress. This vulnerability allows unauthenticated attackers to escalate their privileges to administrator, leading to complete site compromise. The vulnerability lies in the `/wp-json/eventin/v2/speakers/import` REST API endpoint due to a lack of permission checks when importing users. By sending a crafted CSV file to this endpoint, an attacker can create a new user with administrator privileges, effectively taking control of the entire WordPress site. The issue stems from a flawed `permission_callback` function that always returns true, allowing unauthorized access to the endpoint. The vulnerability has been fixed in Eventin version 4.0.27.

Description
Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation. This issue affects Eventin: from n/a through 4.0.26.
Source
audit@patchstack.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

audit@patchstack.com
CWE-266

Social media

Hype score
Not currently trending
  1. 🚨 CVE-2025-47539 - critical 🚨 Eventin <= 4.0.26 - Privilege Escalation > The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege ... 👾 https://t.co/7hT87AOe7X @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    27 May 2025

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-47539 Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation. This issue affects Eventin: from n/a through 4.0.26. https://t.co/i4EF2Zc5Ok

    @CVEnew

    23 May 2025

    474 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-47539 – #WordPress #Eventin Plugin Critical #Exploit https://t.co/fe97wjErLd

    @d4rk_c0r3

    21 May 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚩 Critical WordPress Plugin Vulnerability Exposes 10K+ Sites to Cyber Attack https://t.co/74Zq1HnnRy A severe privilege escalation vulnerability (CVE-2025-47539) has been discovered in the popular WordPress plugin Eventin, allowing unauthenticated attackers to create

    @Huntio

    20 May 2025

    413 Impressions

    5 Retweets

    12 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. Hey hunters ⚡️ Check this out: CVE-2025-47539 Critical WordPress vulnerability for pre-auth privilege escalation! Here's how the permissions are checked by the plugin - "return true;"😂 Many vulnerable websites out there, maybe your target too! FOFA query: https://t.co/BiMN

    @chux13786509

    19 May 2025

    3611 Impressions

    7 Retweets

    51 Likes

    26 Bookmarks

    1 Reply

    1 Quote

  6. 🚨 A zero-day in the #Eventin WordPress plugin lets attackers create admin accounts—no login needed. Patch CVE-2025-47539 ASAP. Read More: https://t.co/kYtbfriGhC #zeroday #Cybersecurity #WordPress #WordPressSecurity #CVE202547539 #Canada #CanadaCyberAwareness https://t.co/

    @FindSecCyber

    18 May 2025

    42 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 Critical WordPress Plugin Vulnerability (CVE-2025-47539) affects 10K+ sites. Attackers can gain full admin access — no login needed. Here’s everything you need to know & how to patch it: 🔗 https://t.co/9So4TfSLbs #WordPress #CyberSecurity #CVE202547539 #PluginVu

    @securecybernews

    18 May 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ⚡️The vulnerability details are now available: https://t.co/1HUzFjU4Vb 🚨CRITICAL WordPress Alert🚨CVE-2025-47539 (CVSS 9.8) exposes Eventin sites to UNAUTHENTICATED privilege escalation! Attackers can hijack admin access via a flawed REST API, leading to TOTAL site tak

    @zoomeye_team

    17 May 2025

    365 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. WordPressの人気イベント管理プラグイン「Eventin」に深刻な脆弱性(CVE-2025-47539)が発見され、修正された。この脆弱性は、認証されていない攻撃者が管理者権限を取得し、サイトを完全に乗っ取る可能性がある

    @yousukezan

    16 May 2025

    552 Impressions

    0 Retweets

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-47539: Critical Privilege Escalation Flaw Hits 10K+ WordPress Eventin Sites https://t.co/m3yyTTHkb8

    @Dinosn

    16 May 2025

    1583 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes