CVE-2025-26964: Eventin Path Traversal Vulnerability

CVE-2025-26964 Overview

CVE-2025-26964 is a Local File Inclusion (LFI) vulnerability in the Arraytics Eventin plugin (wp-event-solution) for WordPress. The flaw stems from improper control of filenames used in PHP include or require statements [CWE-98]. Authenticated attackers can manipulate file path parameters to load arbitrary local PHP files through the plugin. The issue affects all Eventin versions from initial release through 4.0.20. Successful exploitation enables code execution within the WordPress process, exposure of sensitive configuration data, and potential full site compromise. The vulnerability carries a network attack vector and requires only low privileges, making it accessible to any authenticated user role permitted to interact with the plugin's endpoints.

Critical Impact
Authenticated attackers can execute arbitrary PHP code on WordPress sites running Eventin 4.0.20 or earlier, leading to full site takeover.

Affected Products

Arraytics Eventin (wp-event-solution) plugin for WordPress, versions through 4.0.20
WordPress installations with the Eventin plugin enabled
Themewinter Eventin distributions on the WordPress plugin repository

Discovery Timeline

2025-02-25 - CVE-2025-26964 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-26964

Vulnerability Analysis

The vulnerability resides in PHP file inclusion logic within the Eventin plugin. The plugin accepts user-controlled input and passes it to a PHP include or require statement without sufficient validation or allow-listing. An authenticated attacker can supply a crafted parameter referencing arbitrary local files on the server. When the PHP interpreter loads the targeted file, any executable code contained within it runs in the context of the WordPress process. This grants the attacker the ability to read sensitive files such as wp-config.php, escalate to remote code execution by combining the flaw with file upload primitives, or pivot to other applications hosted on the server. The Eventin plugin is widely deployed on event management sites, expanding the addressable attack surface.

Root Cause

The root cause is improper control of a filename used in a PHP include or require statement [CWE-98]. The plugin trusts attacker-controlled input as part of a dynamic path passed to PHP's file inclusion API. Without canonicalization, allow-listing, or a fixed base directory enforced through realpath() checks, the path argument can resolve to files outside the intended directory.

Attack Vector

Exploitation requires network access to the WordPress site and a low-privilege authenticated session. The attacker issues an HTTP request to a vulnerable Eventin endpoint with a manipulated parameter that supplies a path to a local file. The PHP runtime then includes that file. When combined with a file upload feature or log poisoning, the attacker can stage a PHP payload locally and request its inclusion to obtain remote code execution.

No verified public proof-of-concept code is available for this CVE. Refer to the Patchstack advisory for vendor-coordinated technical details.

Detection Methods for CVE-2025-26964

Indicators of Compromise

HTTP requests to Eventin plugin endpoints containing path traversal sequences such as ../, encoded variants like %2e%2e%2f, or absolute paths to system files such as /etc/passwd or wp-config.php.
Unexpected PHP files appearing under wp-content/uploads/ or other writable WordPress directories.
Web server or PHP error logs showing include() or require() failures referencing unusual paths originating from Eventin handlers.

Detection Strategies

Inspect access logs for authenticated requests to wp-admin/admin-ajax.php or Eventin REST routes carrying file path parameters.
Deploy web application firewall (WAF) rules that block traversal patterns and absolute filesystem paths in query and body parameters.
Hunt for newly created or modified PHP files within the WordPress document root using file integrity monitoring.

Monitoring Recommendations

Enable verbose PHP error logging and forward logs to a central SIEM or data lake for correlation against plugin endpoints.
Alert on authenticated user accounts that suddenly issue large numbers of requests to Eventin endpoints.
Track outbound network connections from the WordPress host to detect post-exploitation command-and-control traffic.

How to Mitigate CVE-2025-26964

Immediate Actions Required

Update the Eventin plugin to a version later than 4.0.20 as soon as the vendor releases a patched build.
Audit WordPress user accounts and revoke or reset credentials for any low-privilege accounts not actively in use.
Review recent uploads and web server logs for evidence of file inclusion attempts since the plugin was installed.

Patch Information

Reference the Patchstack WordPress Vulnerability database entry for vendor advisories and fixed version information. Apply the patched plugin release through the WordPress dashboard or by deploying the updated package via your standard plugin management workflow.

Workarounds

Disable the Eventin plugin until a patched version is installed if event management functionality is not business-critical.
Restrict access to WordPress administrative and AJAX endpoints with IP allow-listing or reverse proxy rules.
Deploy WAF signatures that block path traversal sequences and inclusion attempts targeting Eventin parameters.
Set PHP open_basedir and disable_functions directives to constrain which files the WordPress process can read and execute.

bash

# Example: restrict PHP file access via php.ini open_basedir
open_basedir = "/var/www/html/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"