Is WordPress affected by CVE-2025-3419?

Organizations using plugin for WordPress is vulnerable to arbitrary file read in all face notable risk from CVE-2025-3419 rated CVSS 7.5. Exploitation could compromise the security of affected deployments. A patch is available and should be applied as part of regular vulnerability management.

CVE-2025-3419

Q: How to fix CVE-2025-3419?

Within 7 days: Identify all affected systems running plugin for WordPress is vulnerable to arbitrary file read in and apply vendor patches promptly. Vendor patch is available.

HIGH

2025-05-08 [email protected]

WordPress Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

Patch Released

Mar 28, 2026 - 18:40 nvd

Patch available

CVE Published

May 08, 2025 - 06:15 nvd

HIGH 7.5

DescriptionNVD

The Event Manager, Events Calendar, Tickets, Registrations - Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

AnalysisAI

The Event Manager, Events Calendar, Tickets, Registrations - Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image(). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-73. The Event Manager, Events Calendar, Tickets, Registrations - Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Affected products include: Themewinter Eventin.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-3419 vulnerability details – vuln.today

Back

CVE-2025-3419

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code