Cyber Resilience

CVE-2025-1770

High

Published: 20 March 2025

Published
20 March 2025
Modified
08 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1770 is a high-severity Path Traversal (CWE-22) vulnerability in Themewinter Eventin. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1770, published on 2025-03-20, is a Local File Inclusion (LFI) vulnerability (CWE-22) in the Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress. It affects all versions up to and including 4.0.24 and stems from improper handling of the 'style' parameter, which allows the inclusion and execution of arbitrary files on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Contributor-level access or higher can exploit this issue over the network with low complexity and no user interaction. By manipulating the 'style' parameter, they can include arbitrary files, execute PHP code within them, bypass access controls, obtain sensitive data, or achieve code execution, particularly if images or other "safe" file types containing PHP payloads can be uploaded and included.

Advisories and patches are detailed in the provided references, including Wordfence's threat intelligence report and WordPress plugin trac entries. Specific code locations in events-calendar.php (line 715) and tab-1.php (line 53) from version 4.0.24 are implicated, with changeset 3257023 indicating the applied fix.

EU & UK References

Vulnerability details

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access…

more

and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

LFI in public-facing WordPress plugin directly enables T1190 for initial access/exploitation, T1005 for reading local files/sensitive data, and T1059 for executing PHP code on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26964Same product: Themewinter Eventin
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22

Affected Assets

themewinter
eventin
≤ 4.0.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-1770 by identifying, prioritizing, and applying the vendor patch that corrects the improper 'style' parameter handling in the Eventin plugin.

prevent

Requires validation of the 'style' parameter inputs to reject arbitrary file paths, preventing local file inclusion and subsequent PHP code execution.

prevent

Enforces least privilege for Contributor-level users, limiting the scope and impact of exploitation even if the LFI is triggered.

References