The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for...
🔗 CVE IDs covered (1)
📋 Description
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
🔗 References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2026-13039
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3600977%40wp-event-solution&new=3600977%40wp-event-solution
- https://www.wordfence.com/threat-intel/vulnerabilities/id/84a5348a-a307-4db4-83b6-08682282a4b8?source=cve
- https://github.com/advisories/GHSA-xcc9-4v86-gf8f