CVE-2025-1766
Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
| CWE | CWE-862 |
| Vendor | arraytics |
| Product | eventin – event calendar, event registration, tickets & booking (ai powered) |
| Published | Mar 20, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for arraytics eventin – event calendar, event registration, tickets & booking (ai powered)
Be the first to know when new medium vulnerabilities affecting arraytics eventin – event calendar, event registration, tickets & booking (ai powered) are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
arraytics / Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
0 ≤ 4.0.24
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f2bcaff9-bf04-4d8e-9422-c433264067ff?source=cve plugins.trac.wordpress.org: http://plugins.trac.wordpress.org/browser/wp-event-solution/tags/4.0.24/core/Order/PaymentController.php#L97 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3257023/
Credits
wesley