CVE-2025-4796

Name of the Vulnerable Software and Affected Versions Eventin versions through 4.0.34

Description The Eventin plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. This occurs because the plugin does not adequately validate a user’s identity or capabilities before allowing updates to user details, such as email addresses. Specifically, the update item function within the EventinSpeakerApiSpeakerController class is affected. Unauthenticated attackers with contributor-level permissions or higher can exploit this flaw to modify the email addresses of any user, including administrators, and subsequently reset passwords to gain unauthorized access.

Recommendations Eventin versions prior to 4.0.34 are affected. Update to a version later than 4.0.34. As a temporary workaround, restrict access to the update item function within the EventinSpeakerApiSpeakerController class.