Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-4796 PoC — Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover

Source
https://github.com/Pwdnx1337/CVE-2025-4796
Associated Vulnerability
Title:Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover (CVE-2025-4796)
Description:The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Description
eventin <= 4.0.34 - privilege escalation via user email change / account takeover for authenticated contributor+
Readme
# CVE-2025-4796
eventin &lt;= 4.0.34 - privilege escalation via user email change / account takeover for authenticated contributor+

## description
privilege escalation bug in eventin wordpress plugin (<= 4.0.34) that lets any contributor or higher user change any users email through the plugins speaker update api. by changing an admin email to one the attacker controls, they can reset the password and take over the account.

- vulnerable part: eventin wordpress plugin (`eventin\speaker\api\speakercontroller::update_item`)
- affected versions: <= 4.0.34
- cve: CVE-2025-4796
- cvss: 8.8 (high)


## vulnerability details
eventin doesnt properly check who is requesting the update or if they re allowed to change the user email. a contributor or higher can call this endpoint:
- put /wp-json/eventin/v2/speakers/<speaker_id>
and update the speaker email to an email they control. then the attacker can use wordpress password reset to take over the admin account.



requirements:
- python 3.8 or higher
- requests

install requests:
``
pip install requests
``

## usage
run the script and enter required values when prompted:

``
python3 CVE-2025-4796.py 
``
## example output
[+] turning off ssl verification warnings   
[+] login into wordpress.  
[+] login successful.  
[+] fetching nonce token  
[+] nonce token found: abcdef1234567890   
[+] update request for speaker email    

[+] update operation successful.  

```
url: http://example.com  
id: 123   
email: attacker@example.com. 
user: attacker  
pass: yourpassword  

{. 
  "id": 123,    
  "email": "newemail@example.com",  
  "name": "Speaker Name",    
  ...  
}. 
 ```
## mitigation
patch has been released in version 4.0.35 of the eventin plugin. Site administrators are strongly advised to update to this version immediately. The fix includes additional user validation checks in the SpeakerController::update_item function
File Snapshot

 [4.0K]  /data/pocs/6078ea57aec774365d669e995f86b3241a277dff
├── [6.8K]  CVE-2025-4796.py
└── [1.9K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →