
The Eventin plugin, widely used for event management on WordPress websites, was found to be vulnerable to an exceptionally critical attack. The flaw allowed any individual — even those without an account on the site — to obtain administrator privileges and seize full control of the website. The vulnerability was discovered by Denver Jackson, a member of the Patchstack Alliance community.
The root of the issue lay in Eventin’s speaker import functionality. Through this feature, an attacker could upload a specially crafted file in which one of the “guest speakers” was assigned the role of “administrator.” The plugin, without performing any validation, would create a new user with those elevated privileges. In effect, the website was unwittingly opening its doors to potential intruders.
The core problem was the absence of access control checks within the plugin’s code — it failed to verify whether the person initiating the upload had the necessary permissions. The system simply accepted and executed all inputs without scrutiny, thereby enabling attackers to bypass security measures effortlessly and gain unrestricted control over the site: modifying settings, deleting content, managing users, and more.
The developers have since released an update, version 4.0.27, which implements proper permission checks and restricts the list of allowable user roles. These changes effectively eliminate the attack vector. Security experts at Patchstack emphasize the vital importance of regularly updating plugins and maintaining vigilant oversight of their security — particularly when such tools handle user data or grant administrative access to the website.