Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) <= 4.1.12 - Missing Authorization
Description
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.12. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.1.12What Changed in the Fix
Changes introduced in v4.1.13
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-68045 ## 1. Vulnerability Summary CVE-2025-68045 identifies a Missing Authorization vulnerability in the **Eventin** plugin (<= 4.1.12). The vulnerability resides in the REST API controllers registered by `ApiManager.php`. Several controllers (notably those h…
Show full research plan
Exploitation Research Plan - CVE-2025-68045
1. Vulnerability Summary
CVE-2025-68045 identifies a Missing Authorization vulnerability in the Eventin plugin (<= 4.1.12). The vulnerability resides in the REST API controllers registered by ApiManager.php. Several controllers (notably those handling attendees, reports, and customers) register an /export endpoint. Due to a missing or permissive permission_callback in the route registration, unauthenticated attackers can access these endpoints to exfiltrate sensitive data (such as attendee lists, email addresses, and transaction details).
2. Attack Vector Analysis
- Endpoint:
POST /wp-json/eventin/v2/{type}/export - Vulnerable Types (
type):attendee(Primary target: PII exfiltration)report(Analytics/Sales data)customer(User data)transaction(Financial records)
- Authentication: Unauthenticated (No
Authorizationheader or Cookies required). - Parameters:
format: (string)jsonorcsv.ids: (array) Optional list of specific IDs to export.filters: (object) Optional filters for the query.
- Preconditions: The plugin must be active. Some data (attendees/events) must exist in the database for the export to return results.
3. Code Flow
- Initialization:
Eventin\ApiManager::register()is called duringrest_api_init. - Registration: The manager loops through
$controllers(defined inApiManager.php), includingAttendeeController::classandReportController::class. - Route Definition: Each controller calls
register_routes(). Inside this method (inferred from the JS behavior in60254), a route is registered forexportusingregister_rest_route(). - The Flaw: The
permission_callbackfor thePOSTrequest toexportis either missing, returnstrue, or fails to check formanage_optionsor similar administrative capabilities. - Processing: When a request is sent to
/eventin/v2/attendee/export, the controller's callback processes theformatandfiltersparameters and returns the full attendee database.
4. Nonce Acquisition Strategy
While WordPress REST API POST requests generally require a nonce (_wpnonce) to prevent CSRF for authenticated sessions, unauthenticated endpoints often do not enforce nonce verification if the permission_callback is bypassed or set to __return_true.
If the endpoint does require a nonce, it can be extracted from the frontend where the Eventin dashboard or event pages are loaded.
- Identify Trigger: The export functionality is used in the Eventin Admin dashboard. The JS localizes data into a global object.
- Localization Variable: Based on the JS chunks, the plugin likely uses
window.eventin_localizedorwindow.localized_data_obj. - Extraction:
- Create a page with a shortcode that forces the loading of Eventin scripts:
[etn-event-calendar]. - Navigate to the page.
- Execute:
browser_eval("window.wpApiSettings?.nonce")(Standard WordPress REST nonce) or check the localized object for a specific key. - Note: If the vulnerability is truly unauthenticated authorization bypass, the nonce check is likely either absent or satisfied by a null/empty session.
- Create a page with a shortcode that forces the loading of Eventin scripts:
5. Exploitation Strategy
The goal is to trigger the export of all attendees via the REST API.
- Step 1: Target the Attendee export endpoint.
- Tool:
http_request - Method:
POST - URL:
http://[target]/wp-json/eventin/v2/attendee/export - Headers:
Content-Type: application/json
- Payload:
{ "format": "json", "ids": [], "filters": {} } - Step 2: If the above fails with a 403, attempt to target the
reportorcustomertypes:POST /wp-json/eventin/v2/report/exportPOST /wp-json/eventin/v2/customer/export
6. Test Data Setup
- Install Eventin <= 4.1.12.
- Create a dummy event.
- Register at least 2-3 "Attendees" for the event via the WordPress admin or frontend registration form to ensure there is data to exfiltrate.
- Ensure Permalink settings are set to anything other than "Plain" (to enable
/wp-json/).
7. Expected Results
- Success: The server returns a
200 OKresponse with a JSON body (or CSV text) containing a list of attendees, including fields likeattendee_name,attendee_email,event_id, and registration dates. - Failure: A
401 Unauthorizedor403 Forbiddenresponse, indicating the authorization check is present.
8. Verification Steps
After performing the HTTP request, verify the data integrity:
- Use WP-CLI to count attendees:
wp post list --post_type=etn-attendee --format=count - Compare the count and specific emails from the HTTP response with the database:
wp db query "SELECT post_title FROM wp_posts WHERE post_type='etn-attendee'" - Confirm the attacker's ability to see data that should be restricted to the
manage_optionscapability.
9. Alternative Approaches
- Format Manipulation: If
jsonis blocked, attemptformat: "csv". Some security filters may only inspect JSON bodies. - Filter Injection: Attempt to use the
filtersparameter to bypass basic checks or probe for further vulnerabilities (e.g., SQL injection if filters are passed unsafely to a query). - Parameter Polling: Try
GETinstead ofPOSTif the route registration usedWP_REST_Server::ALL_METHODS.
Summary
The Eventin plugin for WordPress fails to implement authorization checks on multiple REST API export endpoints, such as those for attendees, customers, and reports. This allows unauthenticated attackers to exfiltrate sensitive data, including PII and transaction records, by sending a crafted POST request to the affected endpoints.
Vulnerable Code
// base/ApiManager.php - The ApiManager registers multiple controllers that lack proper permission_callback constraints in their register_routes methods. protected static $controllers = [ EventController::class, SpeakerController::class, ScheduleController::class, LocationController::class, EventCategoryController::class, SettingsController::class, AttendeeController::class, SpeakerCategoryController::class, EventTagController::class, TransactionController::class, OrderController::class, PaymentController::class, CustomerController::class, ExtensionController::class, ReportController::class, TemplateController::class, SetupNotification::class, TemplateBuilderController::class, ]; public static function register(): void { $controllers = apply_filters( 'eventin_api_controllers', self::$controllers ); foreach ( $controllers as $controller ) { if ( ! class_exists( $controller ) ) { continue; } if ( is_subclass_of( $controller, WP_REST_Controller::class ) ) { $api_controller = Eventin::$container->get( $controller ); $api_controller->register_routes(); } } }
Security Fix
@@ -16,6 +16,7 @@ use Eventin\Speaker\Api\SpeakerCategoryController; use Eventin\Speaker\Api\SpeakerController; use Eventin\Extensions\Api\ExtensionController; +use Eventin\Extensions\Api\TutorLmsSettingsController; use Eventin\SetupNotification\Api\SetupNotification; use Eventin\Template\Api\TemplateController; use Eventin\Template\Api\TemplateBuilderController; @@ -45,6 +46,7 @@ PaymentController::class, CustomerController::class, ExtensionController::class, + TutorLmsSettingsController::class, ReportController::class, TemplateController::class, SetupNotification::class,
Exploit Outline
The exploit targets the WordPress REST API endpoints registered by the Eventin plugin. An attacker can perform the following steps: 1. Target Endpoint: Identify the export endpoint for the desired data type, such as `/wp-json/eventin/v2/attendee/export` or `/wp-json/eventin/v2/customer/export`. 2. Request Method: Use a POST request to trigger the export functionality. 3. Payload Structure: Send a JSON payload specifying the format (e.g., `{"format": "json"}`) and optional filters. A typical payload is `{"format": "json", "ids": [], "filters": {}}`. 4. Authentication: No authentication (Username/Password) or specific Authorization headers are required because the endpoint lacks a restricted `permission_callback` in affected versions. 5. Data Exfiltration: The server will respond with a 200 OK and a body containing the full database export of the requested type (e.g., a list of all event attendees and their emails).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.