CVE-2025-1770: 
WordPress vulnerability analysis and mitigation

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in versions up to and including 4.0.24. The vulnerability was discovered and disclosed on March 20, 2025. This security issue affects the plugin's handling of the 'style' parameter (Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access and above to include and execute arbitrary files on the server through Local File Inclusion (LFI). This enables the execution of any PHP code contained in those files. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This poses a significant security risk as it could lead to complete server compromise (NVD).

A fix has been released in version 4.0.25 of the plugin. Users are strongly advised to update to this version immediately. The update can be installed through the WordPress plugin management interface or downloaded directly from the WordPress plugin repository (WordPress Plugin).