What the vulnerability does
01Description
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
Explanation of Vulnerability in Simple Terms
02Summary
Eventin versions up to 4.0.26 contain an external input validation flaw that exposes sensitive data. An attacker on the network can read confidential information without authentication or user interaction. The vulnerability affects the event calendar and registration system, potentially exposing user data or event details stored in the plugin.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the plugin without logging in.
Potential impact on your site
04Site Impact
Confidential event data, user information, or registration details may be exposed to unauthenticated attackers.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 8, 2025
CVE published
April 8, 2026
Record updated