CVE-2025-47539

Name of the Vulnerable Software and Affected Versions Eventin versions n/a through 4.0.26

Description A critical privilege escalation flaw has been discovered in the Eventin WordPress plugin, allowing unauthenticated attackers to gain full admin access without the need for a login. This issue affects over 10,000 WordPress sites. The vulnerability is related to an incorrect privilege assignment, which enables attackers to create admin accounts. The flaw exposes Eventin sites to unauthenticated privilege escalation via a flawed REST API, leading to total site takeover.

Recommendations For Eventin versions n/a through 4.0.26, update to a version that contains a fix for this issue as soon as possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.