Sign in Get started

← All vendors

Vendor

Themewinter

Sign in to watch

Products

2

CVEs

18

Across products

18

Status

Private

Products

2

Eventin
12 CVEs
Wpcafe
6 CVEs

Recent CVEs

18

CVE	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2025-47539	Cri	0.66	9.8	0.28		May 23, 2025	Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
CVE-2024-5431	Hig	0.57	8.8	0.01		Jun 25, 2024	The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25 via the reservation_extra_field shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially resulting in code execution
CVE-2025-47445	Hig	0.49	7.5	0.09		May 14, 2025	Relative Path Traversal vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.26.
CVE-2025-3419	Hig	0.49	7.5	0.00		May 8, 2025	The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-47445 is a duplicate of this vulnerability.
CVE-2025-39584	Hig	0.49	7.5	0.00		Apr 16, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.25.
CVE-2025-26964	Hig	0.49	7.5	0.01		Feb 25, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Arraytics Eventin wp-event-solution allows PHP Local File Inclusion.This issue affects Eventin: from n/a through <= 4.0.20.
CVE-2025-49321	Hig	0.46	7.1	0.00		Jun 27, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin wp-event-solution allows Reflected XSS.This issue affects Eventin: from n/a through <= 4.0.28.
CVE-2024-56213	Med	0.42	6.5	0.01		Dec 31, 2024	Path Traversal: '.../...//' vulnerability in Arraytics Eventin wp-event-solution allows Path Traversal.This issue affects Eventin: from n/a through <= 4.0.7.
CVE-2024-5427	Med	0.42	6.4	0.00		May 31, 2024	The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Reservation Form shortcode in all versions up to, and including, 2.2.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-49756	Med	0.35	5.4	0.00		Dec 9, 2024	Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52.
CVE-2023-47805	Med	0.35	5.3	0.01		Dec 9, 2024	Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22.
CVE-2024-1855	Med	0.34	5.3	0.00		May 23, 2024	The WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.23 via the wpc_check_for_submission function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application.
CVE-2024-1122	Med	0.34	5.3	0.00		Feb 9, 2024	The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.
CVE-2024-6033	Med	0.28	4.3	0.00		Jul 17, 2024	The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
CVE-2024-43135		0.00	—	0.02		Aug 13, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.This issue affects WPCafe: from n/a through 2.2.28.
CVE-2024-39648		0.00	—	0.00		Aug 1, 2024	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5.
CVE-2024-37507		0.00	—	0.00		Jul 21, 2024	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 3.3.57.
CVE-2024-37513		0.00	—	0.01		Jul 9, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows Path Traversal.This issue affects WPCafe: from n/a through 2.2.27.