BURSTA severe privilege escalation vulnerability has been discovered in the popular WordPress plugin Eventin, putting more than 10,000 websites at risk of complete compromise.
The vulnerability, now tracked as CVE-2025-47539, allows unauthenticated attackers to create administrator accounts without any user interaction, giving them full control over affected websites.
Security researchers are urging site owners to update immediately to version 4.0.27, which contains a patch for this critical security flaw.
The Eventin plugin, developed by Themewinter, is widely used for event management functionalities on WordPress sites.
Its extensive adoption across thousands of websites makes this vulnerability particularly concerning, as successful exploitation could lead to site defacement, data theft, malware injection, or use of the compromised sites in larger botnet operations.
Patchstack researchers identified that the vulnerability stems from an improperly secured REST API endpoint in the Eventin plugin that handles speaker imports.
The Vulnerability
The vulnerability was initially reported on April 19, 2025, through Patchstack’s Zero Day bug bounty program by security researcher Denver Jackson, who received a $600 USD reward for the discovery.
What makes this vulnerability particularly dangerous is its unauthenticated nature, requiring no login credentials or social engineering to exploit.
An attacker simply needs to send a specially crafted request to the vulnerable endpoint to create an administrator-level account, after which they can access the site’s admin dashboard by performing a password reset.
The technical analysis reveals that the vulnerability exists in the /wp-json/eventin/v2/speakers/import REST API endpoint.
The core issue lies in the import_item_permissions_check() function, which was implemented to simply return true without performing any actual permission validation:-
public function import_item_permissions_check($request) {
return true;
}This implementation allows any unauthenticated user to access the endpoint. Combined with a lack of role validation when processing imported user data, attackers could submit a CSV file containing their details with an administrator role specification:-
$args = [
'first_name' => !empty($row['name']) ? $row['name'] : '',
// Other user details...
'role' => !empty($row['role']) ? $row['role'] : '',
];Themewinter addressed the vulnerability in version 4.0.27, released on April 30, 2025, by implementing proper permission checks and restricting the allowed roles during user imports:
public function import_item_permissions_check($request) {
return current_user_can('etn_manage_organizer') || current_user_can('etn_manage_event');
}WordPress site administrators using the Eventin plugin are strongly advised to update to version 4.0.27 or later immediately.
Those unable to update should consider temporarily disabling the plugin until updates can be applied, as the unauthenticated nature of this exploit makes it particularly dangerous in the wild.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The post Critical WordPress Plugin Vulnerability Exposes 10K+ Sites to Cyber Attack appeared first on Cyber Security News.