Skip to main content

Easy PayPal Events Tickets CVE-2026-41471

| EUVD-2026-27050 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-04 VulnCheck
PHP WordPress Authentication Bypass Information Disclosure
8.2
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
May 04, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 04, 2026 - 18:22 NVD
7.5 (HIGH) 8.2 (HIGH)
PoC Detected
May 04, 2026 - 18:16 vuln.today
Public exploit code
Analysis Generated
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:40 nvd
HIGH 8.2

DescriptionNVD

Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.

AnalysisAI

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: identify all WordPress installations using Easy PayPal Events & Tickets plugin via plugin repository scan or admin audit. Within 7 days: deactivate and remove the plugin entirely from all affected instances; migrate ticket and event data to an actively maintained alternative (e.g., Eventbrite integration, WooCommerce Events Calendar). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-6960 CRITICAL
9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

Share

CVE-2026-41471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy