CVE-2025-26964 is a Local File Inclusion (LFI) vulnerability found in the Arraytics Eventin WordPress plugin, versions up to and including 4.0.20. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input and cause the application to include unintended files from the server. This can lead to arbitrary file disclosure, such as reading sensitive configuration files, source code, or other data stored on the server. In some cases, it may also facilitate remote code execution if the attacker can upload malicious files or leverage other chained vulnerabilities. The issue is classified as an LFI rather than a Remote File Inclusion (RFI) because the inclusion is limited to local files, but the impact remains severe. The vulnerability was published on February 25, 2025, with no CVSS score assigned yet, and no known exploits have been reported in the wild. The affected product, Eventin, is a WordPress plugin designed for event management, which is widely used in various organizations for managing event registrations and calendars. The root cause is insufficient validation or sanitization of user-supplied input controlling the include/require filename, allowing attackers to traverse directories or specify arbitrary local files. This vulnerability can be exploited remotely without authentication, making it accessible to unauthenticated attackers scanning for vulnerable sites. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for mitigation.

The impact of CVE-2025-26964 is significant for organizations using the Eventin WordPress plugin, as successful exploitation can lead to unauthorized disclosure of sensitive files such as configuration files containing database credentials, application source code, or other critical data. This compromises confidentiality and can facilitate further attacks like privilege escalation or remote code execution if combined with other vulnerabilities. The integrity of the affected systems may also be compromised if attackers manage to execute arbitrary code or modify files. Availability impact is generally lower but could occur if attackers disrupt normal operations by including malicious files or causing application crashes. Since WordPress powers a large portion of websites globally, and Eventin is used for event management, organizations in sectors such as education, event management, marketing, and non-profits could be targeted. The vulnerability's ease of exploitation without authentication and user interaction increases the risk of widespread attacks once exploit code becomes available. The absence of known exploits in the wild currently limits immediate impact but does not reduce the potential severity once weaponized. Organizations failing to address this vulnerability risk data breaches, reputational damage, and regulatory penalties related to data protection laws.

To mitigate CVE-2025-26964, organizations should first check if a security patch or updated version of the Eventin plugin is available from the vendor and apply it promptly. If no patch is available, implement strict input validation and sanitization on any parameters controlling file inclusion paths to ensure only expected, safe filenames are processed. Employ a whitelist approach restricting included files to a predefined set of safe files or directories. Configure the web server and PHP environment to disable dangerous functions such as allow_url_include and restrict file system permissions to limit access to sensitive files. Use Web Application Firewalls (WAFs) to detect and block suspicious requests attempting directory traversal or file inclusion attacks. Monitor logs for unusual access patterns or errors related to file inclusion. Additionally, consider isolating the WordPress environment and limiting plugin usage to reduce attack surface. Regularly audit plugins for vulnerabilities and maintain an inventory of installed components to ensure timely updates. Educate developers and administrators on secure coding practices related to file inclusion and input handling.