{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1766", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-27T19:26:34.096Z", "datePublished": "2025-03-20T05:22:35.308Z", "dateUpdated": "2026-04-08T17:32:40.671Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:40.671Z"}, "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss."}], "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257023/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-03-19T17:03:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T15:10:46.195717Z", "id": "CVE-2025-1766", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:10:55.571Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T15:10:46.195717Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:10:50.372Z"}}], "cna": {"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themewinter", "product": "Eventin \u2013 Event Manager, Events Calendar, Event Tickets and Registrations", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.24"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-19T17:03:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257023/"}], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-20T05:22:35.308Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1766", "state": "PUBLISHED", "dateUpdated": "2025-03-20T15:10:55.571Z", "dateReserved": "2025-02-27T19:26:34.096Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-20T05:22:35.308Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "83E51B23-6F8A-478C-AF23-391D5E7EC252", "versionEndExcluding": "4.0.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss."}, {"lang": "es", "value": "El complemento Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin para WordPress, es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n 'payment_complete' en todas las versiones hasta la 4.0.24 incluida. Esto permite que atacantes no autenticados actualicen el estado de los pagos de entradas a 'completado', lo que podr\u00eda resultar en p\u00e9rdidas econ\u00f3micas."}], "id": "CVE-2025-1766", "lastModified": "2025-08-11T18:04:48.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-20T06:15:22.740", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/changeset/3257023/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:31:56.034385+00:00", "value": {"mitigation_remediation": ["Apply the latest Eventin plugin update (4.0.25 or newer).", "If an update is not possible, remove or disable the payment_complete endpoint or restrict it to users with appropriate capabilities.", "Implement a web application firewall rule to block unauthorized payment status update requests."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Payment Status Update"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Eventin event management plugin, versions 4.0.24 and earlier, used within WordPress installations.", "description_and_impact": "The Eventin WordPress plugin contains a missing capability check on the payment_complete function. As a result, unauthenticated attackers can change ticket payment status to 'completed' without authorization, creating opportunities for financial loss by approving payments that have not been legitimately processed.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests low exploitation probability at the time of analysis. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that attackers could directly request the payment_complete endpoint without authentication, allowing them to modify payment status."}}}}, "created": "2026-04-20T23:45:21.600573+00:00", "updated": "2026-04-20T23:45:21.600584+00:00", "vendors": []}