CVE-2025-1770

CVE-2025-1770, published on 2025-03-20, is a Local File Inclusion (LFI) vulnerability (CWE-22) in the Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress. It affects all versions up to and including 4.0.24 and stems from improper handling of the 'style' parameter, which allows the inclusion and execution of arbitrary files on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Contributor-level access or higher can exploit this issue over the network with low complexity and no user interaction. By manipulating the 'style' parameter, they can include arbitrary files, execute PHP code within them, bypass access controls, obtain sensitive data, or achieve code execution, particularly if images or other "safe" file types containing PHP payloads can be uploaded and included.

Advisories and patches are detailed in the provided references, including Wordfence's threat intelligence report and WordPress plugin trac entries. Specific code locations in events-calendar.php (line 715) and tab-1.php (line 53) from version 4.0.24 are implicated, with changeset 3257023 indicating the applied fix.