CVE-2025-4796: 
WordPress vulnerability analysis and mitigation

The Eventin plugin for WordPress contains a privilege escalation vulnerability via account takeover in versions up to and including 4.0.34 (CVE-2025-4796). The vulnerability was discovered on August 8, 2025, and affects the plugin's user management functionality. The issue stems from improper validation of user identity and capabilities in the 'Eventin\Speaker\Api\SpeakerController::update_item' function (NVD).

The vulnerability exists due to insufficient validation of user identity and capabilities prior to updating user details, specifically email addresses, in the SpeakerController::update_item function. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers with contributor-level or higher permissions to modify arbitrary users' email addresses, including administrators. This can be leveraged to reset user passwords and gain unauthorized access to accounts, potentially leading to complete site compromise (NVD).

A patch has been released in version 4.0.35 of the Eventin plugin. Site administrators are strongly advised to update to this version immediately. The fix includes additional user validation checks in the SpeakerController::update_item function (Wordfence).