Critical privilege escalation vulnerability in Eventin WordPress plugin

A security vulnerability has been discovered and patched in the Eventin WordPress plugin, an event management plugin with over 10,000 active installations. 

The vulnerability is tracked as CVE-2025-47539 (CVSS score 9.8) and is an unauthenticated privilege escalation vulnerability that allows unauthenticated attackers to create administrator accounts on affected WordPress sites, potentially leading to complete site compromise. It's caused by:

• An insecure REST API endpoint (/wp-json/eventin/v2/speakers/import) with a permission callback function that simply returned true without performing any actual authentication checks
• Unchecked processing of user roles during the speaker import functionality

An unauthenticated attacker could exploit this vulnerability by:

1. Sending a POST request to the vulnerable endpoint
2. Uploading a specially crafted CSV file containing attacker-specified user details with the role set to "administrator"
3. Resetting the password to access the created account

All versions of Eventin prior to 4.0.27 are affected.

The vulnerability has been fixed in Eventin version 4.0.27, released on April 30, 2025.