{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7813", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T15:45:12.183Z", "datePublished": "2025-08-23T05:48:19.990Z", "dateUpdated": "2026-04-08T17:13:37.374Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:37.374Z"}, "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.37", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Events Calendar, Event Booking, Registrations and Event Tickets \u2013 Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "title": "Event Manager, Events Calendar, Booking, Registrations and Tickets \u2013 Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "timeline": [{"time": "2025-08-22T17:41:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T18:42:58.815701Z", "id": "CVE-2025-7813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T18:43:09.697Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T18:42:58.815701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T18:43:03.619Z"}}], "cna": {"title": "Event Manager, Events Calendar, Booking, Registrations and Tickets \u2013 Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.37"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T17:41:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php"}], "descriptions": [{"lang": "en", "value": "The Events Calendar, Event Booking, Registrations and Event Tickets \u2013 Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:37.374Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7813", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:37.374Z", "dateReserved": "2025-07-18T15:45:12.183Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T05:48:19.990Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Calendar, Event Booking, Registrations and Event Tickets \u2013 Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}, {"lang": "es", "value": "El complemento Events Calendar, Event Booking, Registrations and Event Tickets \u2013 Eventin para Wordpress es vulnerable a la falsificaci\u00f3n de solicitudes del lado del servidor en todas las versiones hasta la 4.0.37 incluida, a trav\u00e9s de la funci\u00f3n proxy_image. Esto permite a atacantes no autenticados realizar solicitudes web a ubicaciones arbitrarias desde la aplicaci\u00f3n web y utilizarlas para consultar y modificar informaci\u00f3n de servicios internos."}], "id": "CVE-2025-7813", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T06:15:29.607", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/Admin/hooks.php#L451"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3345781/wp-event-solution/tags/4.0.38/core/Admin/hooks.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a73f806d-5d64-4df5-b032-3d3a149036ff?source=cve"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-event-solution/event-manager-events-calendar-tickets-registrations-eventin-4026-unauthenticated-arbitrary-file-read"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:48:22.744585+00:00", "value": {"mitigation_remediation": ["Update the Eventin plugin to version 4.0.38 or later where the SSRF issue is fixed.", "If an update is not immediately possible, remove or comment out the proxy_image function in the plugin\u2019s code to block the vulnerable functionality.", "Implement network-level controls or firewall rules to restrict outbound HTTP requests from the WordPress server to only trusted external destinations, thereby limiting the impact of any remaining SSRF vectors."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin version 4.0.37 and all earlier releases. The plugin is distributed by arraytics and installed via the WordPress plugin repository.", "description_and_impact": "The Eventin plugin for WordPress contains an SSRF vulnerability in the proxy_image function that allows unauthenticated attackers to trigger web requests from the application to arbitrary URLs. This can expose internal resources or modify data on services reachable from the host, potentially leaking sensitive information or enabling further attacks such as credential compromise or denial of service. The weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 7.2 categorizes the issue as a high\u2011severity risk. The EPSS score of less than 1% indicates that exploitation is considered unlikely at present, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would leverage the public proxy_image endpoint to issue requests to internal IPs or service endpoints, making the threat most relevant in environments where the WordPress site can reach sensitive internal services."}}}}, "created": "2025-08-23T17:27:25.489993+00:00", "updated": "2026-04-20T20:00:10.506934+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}