Eventin WordPress Bug Lets Hackers Control 10,000 Sites

More than 10,000 WordPress websites are at risk following the disclosure of a critical vulnerability in the Eventin plugin, a popular tool developed by Themewinter for event management. Tracked as CVE-2025-47539, the flaw enables unauthenticated attackers to create administrator accounts without user interaction, granting full control over affected sites.

Security researchers from Patchstack identified the issue in the plugin’s REST API endpoint, which lacked proper permission validation. Attackers can exploit the unsecured `/wp-json/eventin/v2/speakers/import` endpoint to import user data, assigning themselves administrator roles via a crafted CSV file.

The vulnerability was reported on April 19, 2025, and patched in version 4.0.27, released on April 30. Site administrators are urged to update immediately or disable the plugin to prevent potential attacks such as site takeover, malware injection, or botnet recruitment.

Due to its unauthenticated nature, the flaw presents a high risk for widespread exploitation if left unpatched.