{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3419", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T14:50:06.932Z", "datePublished": "2025-05-08T05:22:51.039Z", "dateUpdated": "2026-04-08T16:36:48.311Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:48.311Z"}, "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability."}], "title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-05-07T16:25:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T14:11:17.752616Z", "id": "CVE-2025-3419", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T14:12:20.919Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T14:11:17.752616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T14:11:33.581Z"}}], "cna": {"title": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "themewinter", "product": "Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.26"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-07T16:25:44.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"}], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-08T05:22:51.039Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3419", "state": "PUBLISHED", "dateUpdated": "2025-05-08T14:12:20.919Z", "dateReserved": "2025-04-07T14:50:06.932Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-08T05:22:51.039Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themewinter:eventin:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A1F96AB4-859C-463B-A3B3-C1C0C0D2D64B", "versionEndExcluding": "4.0.27", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability."}, {"lang": "es", "value": "El complemento Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin para WordPress es vulnerable a la lectura de archivos arbitrarios en todas las versiones hasta la 4.0.26 incluida, mediante la funci\u00f3n proxy_image(). Esto permite a atacantes no autenticados leer el contenido de archivos arbitrarios en el servidor, que pueden contener informaci\u00f3n confidencial."}], "id": "CVE-2025-3419", "lastModified": "2026-04-08T17:20:40.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-08T06:15:32.023", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3284545/wp-event-solution/trunk/core/Admin/Hooks.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1479071c-85c3-41fd-8ad7-f0dee32f201b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:23:29.106323+00:00", "value": {"mitigation_remediation": ["Upgrade the Eventin plugin to version 4.0.27 or newer.", "Disable the proxy_image() feature or block access to the proxy image endpoint through the web server configuration.", "Limit file permissions for the web server user so that only necessary files are readable, and monitor server logs for suspicious read attempts."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary file read"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Eventin \u2013 Event Calendar, Tickets & Booking plugin from arraytics, version 4.0.26 or earlier. The vulnerability affects all WordPress installations that have the plugin enabled.", "description_and_impact": "The Eventin plugin for WordPress contains a vulnerability that allows unauthenticated attackers to read arbitrary files on the server through the proxy_image() function, exposing sensitive data. The flaw is a classic CWE-73 path traversal issue that can be exploited by sending crafted requests to the plugin\u2019s proxy image endpoint, resulting in file disclosure without authentication.", "risk_and_exploitability": "The CVSS score is 7.5 indicating a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can achieve disclosure of arbitrary files with no credentials, making the risk primarily to confidentiality. There are no known active exploits, but the existence of the flaw mandates remediation."}}}}, "created": "2026-04-22T17:30:22.634477+00:00", "updated": "2026-04-22T17:30:22.634488+00:00", "vendors": []}