CVE-2024-7149
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform Local File Inclusion attacks in the Eventin plugin. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or privilege escalation. All WordPress sites using Eventin plugin versions up to 4.0.8 are affected.
💻 Affected Systems
- Eventin - Events Calendar, Tickets, Registrations WordPress Plugin
📦 What is this software?
Eventin by Themewinter
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install backdoors, steal sensitive data, deface websites, or pivot to other systems.
Likely Case
Unauthorized file access leading to sensitive information disclosure, privilege escalation to administrator, or website defacement.
If Mitigated
Limited impact if proper file permissions restrict PHP execution and web server runs with minimal privileges.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Multiple vulnerable parameters exist across widget files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.9 or later
Vendor Advisory: https://wordpress.org/plugins/wp-event-solution/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Eventin' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.0.9+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable widgets
allTemporarily disable affected widgets until patch can be applied
Navigate to WordPress Appearance → Widgets and remove Eventin widgets from active areas
Restrict file uploads
linuxPrevent upload of PHP files and other executable content
Add to .htaccess: <FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Contributor role access or restrict to trusted users only
- Implement web application firewall rules to block LFI patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Eventin version. If version is 4.0.8 or lower, system is vulnerable.Check Version:
wp plugin list --name=eventin --field=versionVerify Fix Applied:
Confirm plugin version is 4.0.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file include requests in web server logs containing '..', 'style', or 'template' parameters
- Multiple failed authentication attempts followed by successful Contributor login
Network Indicators:
- HTTP requests with suspicious parameters like 'style=../../../etc/passwd' or similar path traversal patterns
SIEM Query:
source="web_logs" AND (uri="*style=*" OR uri="*template=*") AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events-tab/style/tab-1.php#L42
- https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/events/events.php#L754
- https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule-list/schedule-list.php#L293
- https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/schedule/schedule.php#L368
- https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/widgets/speakers/speakers.php#L483
- https://plugins.trac.wordpress.org/changeset/3157415/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/75537b61-5622-4b35-b80e-389526bd99f0?source=cve
