CVE-2025-68045

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) <= 4.1.12 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.1.13
Patched in
9d
Time to patch

Description

The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.12. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.1.12
PublishedJune 15, 2026
Last updatedJune 23, 2026
Affected pluginwp-event-solution

What Changed in the Fix

Changes introduced in v4.1.13

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68045 ## 1. Vulnerability Summary CVE-2025-68045 identifies a Missing Authorization vulnerability in the **Eventin** plugin (<= 4.1.12). The vulnerability resides in the REST API controllers registered by `ApiManager.php`. Several controllers (notably those h…

Show full research plan

Exploitation Research Plan - CVE-2025-68045

1. Vulnerability Summary

CVE-2025-68045 identifies a Missing Authorization vulnerability in the Eventin plugin (<= 4.1.12). The vulnerability resides in the REST API controllers registered by ApiManager.php. Several controllers (notably those handling attendees, reports, and customers) register an /export endpoint. Due to a missing or permissive permission_callback in the route registration, unauthenticated attackers can access these endpoints to exfiltrate sensitive data (such as attendee lists, email addresses, and transaction details).

2. Attack Vector Analysis

  • Endpoint: POST /wp-json/eventin/v2/{type}/export
  • Vulnerable Types (type):
    • attendee (Primary target: PII exfiltration)
    • report (Analytics/Sales data)
    • customer (User data)
    • transaction (Financial records)
  • Authentication: Unauthenticated (No Authorization header or Cookies required).
  • Parameters:
    • format: (string) json or csv.
    • ids: (array) Optional list of specific IDs to export.
    • filters: (object) Optional filters for the query.
  • Preconditions: The plugin must be active. Some data (attendees/events) must exist in the database for the export to return results.

3. Code Flow

  1. Initialization: Eventin\ApiManager::register() is called during rest_api_init.
  2. Registration: The manager loops through $controllers (defined in ApiManager.php), including AttendeeController::class and ReportController::class.
  3. Route Definition: Each controller calls register_routes(). Inside this method (inferred from the JS behavior in 60254), a route is registered for export using register_rest_route().
  4. The Flaw: The permission_callback for the POST request to export is either missing, returns true, or fails to check for manage_options or similar administrative capabilities.
  5. Processing: When a request is sent to /eventin/v2/attendee/export, the controller's callback processes the format and filters parameters and returns the full attendee database.

4. Nonce Acquisition Strategy

While WordPress REST API POST requests generally require a nonce (_wpnonce) to prevent CSRF for authenticated sessions, unauthenticated endpoints often do not enforce nonce verification if the permission_callback is bypassed or set to __return_true.

If the endpoint does require a nonce, it can be extracted from the frontend where the Eventin dashboard or event pages are loaded.

  1. Identify Trigger: The export functionality is used in the Eventin Admin dashboard. The JS localizes data into a global object.
  2. Localization Variable: Based on the JS chunks, the plugin likely uses window.eventin_localized or window.localized_data_obj.
  3. Extraction:
    • Create a page with a shortcode that forces the loading of Eventin scripts: [etn-event-calendar].
    • Navigate to the page.
    • Execute: browser_eval("window.wpApiSettings?.nonce") (Standard WordPress REST nonce) or check the localized object for a specific key.
    • Note: If the vulnerability is truly unauthenticated authorization bypass, the nonce check is likely either absent or satisfied by a null/empty session.

5. Exploitation Strategy

The goal is to trigger the export of all attendees via the REST API.

  • Step 1: Target the Attendee export endpoint.
  • Tool: http_request
  • Method: POST
  • URL: http://[target]/wp-json/eventin/v2/attendee/export
  • Headers:
    • Content-Type: application/json
  • Payload:
    {
      "format": "json",
      "ids": [],
      "filters": {}
    }
    
  • Step 2: If the above fails with a 403, attempt to target the report or customer types:
    • POST /wp-json/eventin/v2/report/export
    • POST /wp-json/eventin/v2/customer/export

6. Test Data Setup

  1. Install Eventin <= 4.1.12.
  2. Create a dummy event.
  3. Register at least 2-3 "Attendees" for the event via the WordPress admin or frontend registration form to ensure there is data to exfiltrate.
  4. Ensure Permalink settings are set to anything other than "Plain" (to enable /wp-json/).

7. Expected Results

  • Success: The server returns a 200 OK response with a JSON body (or CSV text) containing a list of attendees, including fields like attendee_name, attendee_email, event_id, and registration dates.
  • Failure: A 401 Unauthorized or 403 Forbidden response, indicating the authorization check is present.

8. Verification Steps

After performing the HTTP request, verify the data integrity:

  1. Use WP-CLI to count attendees: wp post list --post_type=etn-attendee --format=count
  2. Compare the count and specific emails from the HTTP response with the database:
    wp db query "SELECT post_title FROM wp_posts WHERE post_type='etn-attendee'"
  3. Confirm the attacker's ability to see data that should be restricted to the manage_options capability.

9. Alternative Approaches

  • Format Manipulation: If json is blocked, attempt format: "csv". Some security filters may only inspect JSON bodies.
  • Filter Injection: Attempt to use the filters parameter to bypass basic checks or probe for further vulnerabilities (e.g., SQL injection if filters are passed unsafely to a query).
  • Parameter Polling: Try GET instead of POST if the route registration used WP_REST_Server::ALL_METHODS.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Eventin plugin for WordPress fails to implement authorization checks on multiple REST API export endpoints, such as those for attendees, customers, and reports. This allows unauthenticated attackers to exfiltrate sensitive data, including PII and transaction records, by sending a crafted POST request to the affected endpoints.

Vulnerable Code

// base/ApiManager.php - The ApiManager registers multiple controllers that lack proper permission_callback constraints in their register_routes methods.

protected static $controllers = [
    EventController::class,
    SpeakerController::class,
    ScheduleController::class,
    LocationController::class,
    EventCategoryController::class,
    SettingsController::class,
    AttendeeController::class,
    SpeakerCategoryController::class,
    EventTagController::class,
    TransactionController::class,
    OrderController::class,
    PaymentController::class,
    CustomerController::class,
    ExtensionController::class,
    ReportController::class,
    TemplateController::class,
    SetupNotification::class,
    TemplateBuilderController::class,
];

public static function register(): void {
    $controllers = apply_filters( 'eventin_api_controllers', self::$controllers );
    
    foreach ( $controllers as $controller ) {
        if ( ! class_exists( $controller ) ) {
            continue;
        }

        if ( is_subclass_of( $controller, WP_REST_Controller::class ) ) {
            $api_controller = Eventin::$container->get( $controller );
            $api_controller->register_routes();
        }
    }
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.12/base/ApiManager.php /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.13/base/ApiManager.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.12/base/ApiManager.php	2025-11-05 09:28:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.13/base/ApiManager.php	2026-05-19 19:06:44.000000000 +0000
@@ -16,6 +16,7 @@
 use Eventin\Speaker\Api\SpeakerCategoryController;
 use Eventin\Speaker\Api\SpeakerController;
 use Eventin\Extensions\Api\ExtensionController;
+use Eventin\Extensions\Api\TutorLmsSettingsController;
 use Eventin\SetupNotification\Api\SetupNotification;
 use Eventin\Template\Api\TemplateController;
 use Eventin\Template\Api\TemplateBuilderController;
@@ -45,6 +46,7 @@
         PaymentController::class,
         CustomerController::class,
         ExtensionController::class,
+        TutorLmsSettingsController::class,
         ReportController::class,
         TemplateController::class,
         SetupNotification::class,

Exploit Outline

The exploit targets the WordPress REST API endpoints registered by the Eventin plugin. An attacker can perform the following steps: 1. Target Endpoint: Identify the export endpoint for the desired data type, such as `/wp-json/eventin/v2/attendee/export` or `/wp-json/eventin/v2/customer/export`. 2. Request Method: Use a POST request to trigger the export functionality. 3. Payload Structure: Send a JSON payload specifying the format (e.g., `{"format": "json"}`) and optional filters. A typical payload is `{"format": "json", "ids": [], "filters": {}}`. 4. Authentication: No authentication (Username/Password) or specific Authorization headers are required because the endpoint lacks a restricted `permission_callback` in affected versions. 5. Data Exfiltration: The server will respond with a 200 OK and a body containing the full database export of the requested type (e.g., a list of all event attendees and their emails).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.