A high-severity vulnerability has been discovered in the "Eventin" plugin for WordPress, which allows for Server-Side Request Forgery (SSRF). This flaw could be exploited by an unauthenticated attacker to force the server to make requests to internal network resources or external third-party sites, potentially leading to information disclosure and internal network scanning. Organizations using this plugin are at risk of data breaches and further network compromise.

The vulnerability is a Server-Side Request Forgery (SSRF). An attacker can manipulate an input field within the plugin to supply a crafted URL. The application fails to properly validate this user-supplied input before using it to make a web request, causing the web server to send a request to the attacker-specified destination. This can be exploited to scan internal networks, access sensitive data from cloud provider metadata services (e.g., AWS EC2 instance credentials), or interact with internal services that are not directly exposed to the internet but trust requests from the web server.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant business consequences, including the exfiltration of sensitive internal data, disclosure of cloud infrastructure credentials, or unauthorized access to internal applications. An attacker could use the compromised server as a pivot point to conduct reconnaissance on the internal network, escalating an external threat into a full internal breach. This poses a direct risk to data confidentiality, system integrity, and could result in reputational damage and regulatory fines.

Immediate Action: Immediately update "The Events Calendar, Event Booking, Registrations and Event Tickets – Eventin" plugin to the latest available version (greater than version 4) that contains the security patch. If the plugin is not essential for business operations, review its necessity and consider deactivating and removing it to eliminate the attack surface entirely.

Proactive Monitoring: Monitor outbound network traffic from the web server hosting the WordPress site. Specifically, look for anomalous requests originating from the server process to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or to cloud metadata endpoints (e.g., 169.254.169.254). Review web server access and error logs for unusual requests related to the plugin's functionality.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SSRF attack patterns. Additionally, configure network-level egress filtering to restrict the web server's ability to initiate connections to internal services and sensitive endpoints.

Public Exploit Available: false

Given the High severity rating (CVSS 7.2) and the potential for significant data exposure and internal network access, we strongly recommend that immediate action be taken. Organizations must prioritize applying the vendor-supplied patch to all affected WordPress instances. Although this vulnerability is not currently listed on the CISA KEV catalog, its nature makes it an attractive target for attackers, and a proactive patching strategy is critical to mitigate risk.