Skip to main content

Display Eventbrite Events CVE-2026-39535

| EUVDEUVD-2026-20189 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-42vq-c86x-66jp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20189
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.

AnalysisAI

Missing authorization in the fullworks Display Eventbrite Events WordPress plugin through version 6.5.6 allows unauthenticated remote attackers to modify plugin data via incorrectly configured access control mechanisms. The vulnerability enables integrity attacks (CWE-862: Missing Authorization) without requiring authentication or user interaction, affecting the plugin's REST API or admin functions. EPSS score of 0.02% indicates extremely low real-world exploitation probability despite the network-accessible attack vector.

Technical ContextAI

The Display Eventbrite Events plugin (CPE: cpe:2.3:a:fullworks:display_eventbrite_events:*:*:*:*:*:*:*:*) integrates Eventbrite event data into WordPress. CWE-862 (Missing Authorization) indicates the plugin fails to implement proper permission checks on sensitive operations, likely in its REST API endpoints or admin AJAX handlers. WordPress plugins commonly expose such endpoints via wp-admin/admin-ajax.php or REST /wp-json/ routes without verifying user capabilities (e.g., missing is_user_logged_in() or current_user_can() checks). The vulnerability suggests that access control security levels are not properly enforced when processing requests, allowing actions that should require specific roles or permissions to execute without restriction.

RemediationAI

Update the Display Eventbrite Events plugin to version 6.5.7 or later when available from the WordPress plugin repository. Administrators should navigate to WordPress admin dashboard → Plugins, locate 'Display Eventbrite Events,' and click 'Update.' Until a patched version is released, restrict access to WordPress admin and REST API endpoints via authentication requirements (ensure WordPress login is enforced), consider disabling the plugin if not actively used, and review recent admin logs for unauthorized changes to Eventbrite event displays. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability for detailed remediation guidance.

Share

CVE-2026-39535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy