CVE-2025-32160: EventON Plugin RCE Vulnerability

CVE-2025-32160 Overview

CVE-2025-32160 is a PHP file inclusion vulnerability in the EventON eventon-lite WordPress plugin developed by Ashan Perera. The flaw stems from improper control of filenames used in include or require statements [CWE-98]. Authenticated attackers with low privileges can manipulate file path parameters to include arbitrary PHP files processed by the application. The vulnerability affects EventON versions up to and including 2.4.1. Successful exploitation can lead to disclosure of sensitive server content and execution of attacker-controlled PHP code within the WordPress runtime.

Critical Impact
Authenticated attackers can include arbitrary PHP files through the EventON plugin, leading to information disclosure, integrity loss, and potential remote code execution on affected WordPress sites.

Affected Products

Ashan Perera EventON (eventon-lite plugin for WordPress)
EventON versions through 2.4.1
WordPress sites running the vulnerable plugin version

Discovery Timeline

2025-04-10 - CVE-2025-32160 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-32160

Vulnerability Analysis

The vulnerability resides in plugin code that constructs file paths from user-controllable input and passes them to PHP include or require statements. The plugin fails to enforce a strict allowlist of permitted files, enabling traversal of the local filesystem and inclusion of unintended PHP sources. EPSS data places exploitation likelihood at 0.642%, with a percentile of 45.76. The Patchstack advisory classifies the issue as a local file inclusion (LFI), while the NVD record categorizes it under PHP Remote File Inclusion. Both attack patterns derive from the same underlying weakness in [CWE-98].

Root Cause

The root cause is missing input validation and sanitization on a filename parameter consumed by an include or require call. The plugin trusts request-supplied values without normalizing path separators, stripping directory traversal sequences, or restricting inclusion to a fixed set of safe templates. As a result, the PHP interpreter resolves and executes whichever file the attacker references.

Attack Vector

Exploitation requires network access and at least low-privileged authentication to the WordPress site. The attacker submits a crafted request containing a manipulated file path parameter to a vulnerable EventON endpoint. The plugin then includes the attacker-specified file. Depending on server configuration, the attacker can read sensitive PHP files, trigger execution of uploaded content such as image-based PHP payloads, or, where allow_url_include is enabled, fetch and execute remote PHP via HTTP. Technical specifics are documented in the Patchstack WordPress Vulnerability Report.

No verified proof-of-concept code is published in the references. See the security advisory for technical details.

Detection Methods for CVE-2025-32160

Indicators of Compromise

HTTP requests to EventON plugin endpoints containing directory traversal sequences such as ../ or absolute paths in query parameters
WordPress access logs showing authenticated users requesting file paths pointing to wp-config.php, /etc/passwd, or other sensitive files
PHP error log entries referencing failed include/require calls originating in eventon-lite plugin files
Unexpected outbound HTTP requests from the web server during EventON request handling, suggesting remote URL inclusion

Detection Strategies

Inspect web server and WordPress request logs for EventON URLs carrying file path parameters with traversal characters or unusual extensions
Apply web application firewall rules that flag ..%2f, php://, data://, and http:// schemes in plugin parameters
Monitor PHP open_basedir violations and unexpected file access patterns by the web server user
Correlate authenticated session activity from low-privileged accounts with file inclusion log signatures

Monitoring Recommendations

Enable verbose access logging on WordPress sites running EventON until patched
Forward web server, PHP-FPM, and WordPress audit logs to a centralized SIEM for retention and search
Alert on new PHP file creations within wp-content/uploads followed by EventON request activity
Track outbound network connections initiated by PHP worker processes

How to Mitigate CVE-2025-32160

Immediate Actions Required

Update the EventON plugin to a version newer than 2.4.1 as soon as the vendor publishes a fixed release
Audit WordPress user accounts and remove unnecessary low-privileged accounts that could be used to authenticate
Review recent EventON-related requests in access logs for signs of prior exploitation
Rotate any credentials, API keys, or salts that may have been exposed through file inclusion

Patch Information

Refer to the Patchstack WordPress Vulnerability Report for the current patch status and fixed release information. Administrators should upgrade beyond version 2.4.1 once a vendor-supplied fix is available and verify the plugin version through the WordPress admin dashboard after updating.

Workarounds

Disable or remove the EventON plugin until a patched release is installed
Restrict access to WordPress authentication endpoints using IP allowlists or multi-factor authentication to limit who can reach the vulnerable code
Set allow_url_include=Off and allow_url_fopen=Off in php.ini to prevent remote URL inclusion
Apply open_basedir restrictions to confine PHP to the WordPress installation directory

bash

# Configuration example - php.ini hardening
allow_url_include = Off
allow_url_fopen = Off
open_basedir = /var/www/html/wordpress:/tmp