CVE-2025-26964: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-26964) was discovered in the Themewinter Eventin WordPress plugin affecting versions up to 4.0.20. The vulnerability was reported on January 10, 2025, by security researcher Peter Thaleikis and was publicly disclosed on February 23, 2025 (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) with a CVSS v3.1 base score of 7.5 (High). The vulnerability vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity, requiring low privileges, and potentially resulting in high impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 4.0.21 of the Eventin plugin. Users are advised to update to version 4.0.21 or later to remediate the security issue. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).