CVE-2025-47539: 
WordPress vulnerability analysis and mitigation

CVE-2025-47539 is a critical privilege escalation vulnerability affecting the Eventin WordPress plugin developed by Themewinter. The vulnerability was discovered by security researcher Denver Jackson and reported through the Patchstack Zero Day Initiative. This high-severity flaw affects versions up to 4.0.26 of the plugin, which has over 10,000 active installations, and was disclosed on May 7, 2025. The vulnerability received a CVSS score of 9.8, indicating its critical nature (Patchstack, NVD).

The vulnerability exists in the /wp-json/eventin/v2/speakers/import REST API endpoint due to a flawed permission check implementation. The permissioncallback function, set to importitempermissionscheck(), always returns true, allowing any unauthenticated user to access the endpoint. The vulnerable code processes user-supplied CSV files through $importer->import($file) and $this->create_speaker() functions, enabling attackers to create users with administrator privileges. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Patchstack, Wiz).

The vulnerability allows unauthenticated attackers to gain full administrative access to affected WordPress sites. This level of access enables complete site compromise, including the ability to modify content, install malicious plugins, access sensitive data, and potentially affect the underlying server (Wiz).

Site administrators are strongly advised to update the Eventin plugin to version 4.0.27 or later, which contains the security fix. The vendor implemented a patch by adding proper permission checks in the importitempermissions_check() function along with a whitelist check for the roles of imported users. Additional recommended security measures include auditing the user list for suspicious administrator accounts and implementing two-factor authentication for all administrative users. Patchstack customers are automatically protected through virtual patching (Patchstack).

The security community has responded quickly to this vulnerability, with Patchstack awarding the discovering researcher a $600 USD bounty through their Zero Day bug bounty program. The vulnerability has gained significant attention due to its critical nature and the large number of potentially affected websites (Patchstack).