CVE-2025-1766

Medium CVSS: 5.3

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.

Vendor

Themewinter

Product

Eventin

CWE

CWE-862

Yayın Tarihi

2025-03-20 06:15:22

Güncelleme

2025-08-11 18:04:48

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-862 Eventin MEDIUM Themewinter 2025

Referanslar

http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97 https://plugins.trac.wordpress.org/changeset/3257023/ https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve

Benzer Kayıtlar

High

CVE-2025-4796

The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and i…

Medium

CVE-2025-49321

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin…

Unknown

CVE-2025-47539

Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This iss…

Critical

CVE-2025-47445

Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Ev…

High

CVE-2025-3419

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary fil…

Unknown

CVE-2025-39584

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in…