CVE-2025-26964
Published: 25 February 2025
Summary
CVE-2025-26964 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themewinter Eventin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue (CWE-98) stemming from improper control of filenames in include/require statements within the Eventin plugin (wp-event-solution) by Arraytics. It affects WordPress installations running Eventin versions up to and including 4.0.20 and carries a CVSS 3.1 score of 7.5.
An authenticated attacker with low privileges can supply a crafted filename parameter over the network to force inclusion of arbitrary local PHP files. Successful exploitation can yield full control over the affected site, including the ability to read sensitive files, execute arbitrary code, or alter site behavior, though the attack requires high complexity.
The primary advisory published via Patchstack identifies the flaw in Eventin 4.0.20 and below; site operators should apply the vendor-supplied update that resolves the file-inclusion logic. The associated EPSS score remains low, with a current value of 0.0085 and a peak of only 0.0107.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5440
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and local file access for data collection (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of filename inputs to PHP include/require statements, directly preventing local file inclusion by rejecting malicious paths.
Mandates timely flaw remediation, including patching the vulnerable Eventin WordPress plugin up to version 4.0.20 to eliminate the LFI vulnerability.
Restricts filename inputs for file inclusions to organization-defined safe values or paths, blocking unauthorized local file access via traversal.