CVE-2025-47445

HIGH EXPLOITED NUCLEI

Eventin <= 4.0.26 - Path Traversal

Title source: llm

Exploitation Summary

CVE-2025-47445 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including inverterad. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical walkthrough of exploiting CVE-2025-47445, an SSRF vulnerability in the WordPress Eventin plugin (version 4.0.26 or older). It includes setup instructions, Nuclei scanning results, and manual testing with Burp Suite to demonstrate arbitrary file read via the `proxy_image` action.

Description

Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.

Exploits (1)

nomisec WRITEUP

by inverterad · poc

https://github.com/inverterad/CVE-2025-47445-PoC

View Code ZIP pw:eip

This repository provides a detailed technical walkthrough of exploiting CVE-2025-47445, an SSRF vulnerability in the WordPress Eventin plugin (version 4.0.26 or older). It includes setup instructions, Nuclei scanning results, and manual testing with Burp Suite to demonstrate arbitrary file read via the `proxy_image` action.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: WordPress Eventin Plugin v4.0.26 (or older)

No auth needed

Prerequisites: WordPress with vulnerable Eventin plugin installed · Docker environment for testing

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download

HIGHVERIFIEDby hnd3884

Shodan: html:"wp-event-solution"

References (2)

Core 2

Core References

Third Party Advisory

https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability?_s_id=cve

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-arbitrary-file-download-vulnerability?_s_id=cve

Scores

CVSS v3 7.5

EPSS 0.0697

EPSS Percentile 91.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-05-08

CWE

CWE-23

Status published

Products (2)

Arraytics/Eventin < 4.0.26

themewinter/eventin < 4.0.27

Published May 14, 2025

Tracked Since Feb 18, 2026