Skip to main content

WpEvently CVE-2026-45441

| EUVDEUVD-2026-36842 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-15 Patchstack GHSA-2xc5-qjqv-qjrp
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint with no user interaction; CWE-1284 input-validation flaw modifies stored data (I:H) without disclosure or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:54 vuln.today

DescriptionCVE.org

Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.

AnalysisAI

Unauthenticated integrity compromise in the WpEvently WordPress plugin (versions 5.3.3 and earlier) by MagePeople allows remote attackers to alter application data over the network without privileges or user interaction. The vendor-supplied description is a Patchstack placeholder ('Other Vulnerability Type') and does not identify the specific endpoint or function, but the CVSS vector indicates high integrity impact with no confidentiality or availability impact. No public exploit identified at time of analysis.

Technical ContextAI

WpEvently (CPE cpe:2.3:a:magepeople_inc.:wpevently) is the MagePeople 'Mage Eventpress' event management plugin for WordPress, used to publish, sell, and manage event tickets and bookings. CWE-1284 (Improper Validation of Specified Quantity in Input) describes a class where the application accepts user-supplied values representing counts, indexes, or sizes without validating they fall within expected ranges - common in event/ticketing logic for fields such as ticket quantity, seat count, price, or attendee identifiers. Combined with PR:N, this typically points to an unauthenticated REST or admin-ajax endpoint that processes a numeric parameter the plugin trusts to be bounded.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack record (https://patchstack.com/database/wordpress/plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-3-3-other-vulnerability-type-vulnerability) lists 5.3.3 as the latest affected version without naming a fixed release, so administrators should monitor the MagePeople plugin page on WordPress.org and upgrade to any release greater than 5.3.3 as soon as it is published. Until a fix ships, compensating controls include deactivating the WpEvently plugin on sites that do not actively use event management (eliminates exposure but removes ticketing functionality), restricting access to plugin REST and admin-ajax endpoints (e.g., /wp-json/wpevently/* and admin-ajax.php actions prefixed with wpevently or mep_) at a WAF or reverse proxy (may block legitimate front-end booking actions), and enabling Patchstack or Wordfence virtual patching for this CVE (depends on vendor signature coverage and an active subscription).

Share

CVE-2026-45441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy