Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable WordPress plugin endpoint with no user interaction; CWE-1284 input-validation flaw modifies stored data (I:H) without disclosure or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.
AnalysisAI
Unauthenticated integrity compromise in the WpEvently WordPress plugin (versions 5.3.3 and earlier) by MagePeople allows remote attackers to alter application data over the network without privileges or user interaction. The vendor-supplied description is a Patchstack placeholder ('Other Vulnerability Type') and does not identify the specific endpoint or function, but the CVSS vector indicates high integrity impact with no confidentiality or availability impact. No public exploit identified at time of analysis.
Technical ContextAI
WpEvently (CPE cpe:2.3:a:magepeople_inc.:wpevently) is the MagePeople 'Mage Eventpress' event management plugin for WordPress, used to publish, sell, and manage event tickets and bookings. CWE-1284 (Improper Validation of Specified Quantity in Input) describes a class where the application accepts user-supplied values representing counts, indexes, or sizes without validating they fall within expected ranges - common in event/ticketing logic for fields such as ticket quantity, seat count, price, or attendee identifiers. Combined with PR:N, this typically points to an unauthenticated REST or admin-ajax endpoint that processes a numeric parameter the plugin trusts to be bounded.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack record (https://patchstack.com/database/wordpress/plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-3-3-other-vulnerability-type-vulnerability) lists 5.3.3 as the latest affected version without naming a fixed release, so administrators should monitor the MagePeople plugin page on WordPress.org and upgrade to any release greater than 5.3.3 as soon as it is published. Until a fix ships, compensating controls include deactivating the WpEvently plugin on sites that do not actively use event management (eliminates exposure but removes ticketing functionality), restricting access to plugin REST and admin-ajax endpoints (e.g., /wp-json/wpevently/* and admin-ajax.php actions prefixed with wpevently or mep_) at a WAF or reverse proxy (may block legitimate front-end booking actions), and enabling Patchstack or Wordfence virtual patching for this CVE (depends on vendor signature coverage and an active subscription).
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affectin
WpEvently versions prior to 5.1.9 inadvertently expose sensitive information in transmitted data, allowing unauthenticat
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. Rated medium severity (CVSS 4.3), this vulnerability
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36842
GHSA-2xc5-qjqv-qjrp