CVE-2025-26964 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-26964?

CVE-2025-26964 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Eventin plugin (formerly WP Event Solution) from unknown versions through 4.0.20. Attackers can potentially read sensitive files or execute code depending on server configuration.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Eventin plugin (formerly WP Event Solution) from unknown versions through 4.0.20. Attackers can potentially read sensitive files or execute code depending on server configuration.

💻 Affected Systems

Products:

Themewinter Eventin (formerly WP Event Solution)

Versions: n/a through 4.0.20

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with vulnerable Eventin plugin version. PHP configuration affects exploitability (allow_url_include, open_basedir restrictions).

📦 What is this software?

Eventin by Themewinter

View all CVEs affecting Eventin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, or website defacement if PHP files can be included and executed.

🟠

Likely Case

Local file inclusion allowing reading of sensitive files like configuration files, logs, or source code containing credentials.

🟢

If Mitigated

Limited file disclosure if proper file permissions and PHP security settings restrict included file execution.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability can be exploited remotely.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of PHP file inclusion vulnerabilities and may need authentication depending on vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.21 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-20-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Eventin' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Temporarily disable Eventin plugin until patched

wp plugin deactivate eventin

PHP security hardening

PHP

Set PHP open_basedir restrictions and disable dangerous functions

open_basedir = /var/www/html
disable_functions = exec,passthru,shell_exec,system

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict file permissions and implement strict access controls on sensitive files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Eventin version. If version is 4.0.20 or earlier and no 'n/a' in version history, system is vulnerable.

Check Version:

wp plugin get eventin --field=version

Verify Fix Applied:

Verify Eventin plugin version is 4.0.21 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual PHP include/require statements in web server logs
Requests with file path traversal patterns (../, ..\)
Access to sensitive files via web paths

Network Indicators:

HTTP requests with file inclusion parameters
Unusual file paths in URL parameters

SIEM Query:

web.url:*include* OR web.url:*require* OR web.url:*..* AND web.url:*php*

📊 Metadata

CVE ID: CVE-2025-26964

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.27% exploit probability (50.3th percentile)

Published: February 25, 2025

Last Updated: August 11, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-20-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26964, you might also want to check these: