Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-3419 PoC — Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read

Source
https://github.com/Yucaerin/CVE-2025-3419
Associated Vulnerability
Title:Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 - Unauthenticated Arbitrary File Read (CVE-2025-3419)
Description:The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
Description
The Eventin plugin (<= 4.0.26) for WordPress contains an unauthenticated arbitrary file read vulnerability
Readme
# CVE-2025-3419 - WordPress Eventin <= 4.0.26 - Arbitrary File Read

🔥 **Vulnerability Summary**

The Eventin plugin (<= 4.0.26) for WordPress contains an unauthenticated arbitrary file read vulnerability in the `proxy_image()` function. Attackers exploit insufficient input validation by manipulating the `url` parameter to fetch server files (e.g., `/etc/passwd`, `wp-config.php`). The function fails to restrict access to local file paths, allowing directory traversal (e.g., `../../`). This exposes sensitive data like database credentials, API keys, and system files. The flaw stems from missing sanitization checks before file operations.

🔍 **Affected Plugin**
- Plugin Name: Eventin
- Affected Version: <= 4.0.26
- Vulnerability Type: Unauthenticated Arbitrary File Read
- CVE ID: CVE-2025-3419
- CVSS Score: 9.8 (Critical)
- Impact: Sensitive File Disclosure

🧪 **Exploit Features**
- ✅ Automatically sends file read request to `?action=proxy_image&url=file:///etc/passwd`
- 🔎 Detects presence of `/etc/passwd` via keyword `root:x:0:0:`
- 🧠 Checks server header (`Apache` or `Nginx`)
- 💾 Saves:
  - All vulnerable targets to `result.txt`
  - Apache-based servers to `passwd_server_apache.txt`
  - Nginx-based servers to `passwd_server_nginx.txt`

🚀 **Usage**
1. Create a `list.txt` file containing target domains (one per line, without `http://` or `https://`)
   ```
   example.com
   site123.org
   ```

2. Run the script:
   ```bash
   python3 cve_2025_3419_checker.py
   ```

📁 **Output**
- `result.txt`: List of sites leaking `/etc/passwd`
- `passwd_server_apache.txt`: Apache servers vulnerable
- `passwd_server_nginx.txt`: Nginx servers vulnerable

🧠 **Researcher**
Credit: [DailyCVE](https://dailycve.com/wordpress-arbitrary-file-read-cve-2025-3419-critical/)

🔒 **Disclaimer:**  
This tool is for educational and authorized testing purposes only. Do not use against targets you do not have permission to assess.
File Snapshot

 [4.0K]  /data/pocs/5eff6f6260b22c2cd0f06601c0d1e1262e3c3dfb
├── [2.2K]  CVE-2025-3419.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →