Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Event Monster - Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data - including transaction ID, amount, and payment status - without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
AnalysisAI
Payment forgery in the Event Monster WordPress plugin (versions through 2.1.0) allows unauthenticated remote attackers to generate valid paid event tickets without completing any actual payment transaction. The AJAX handler wp_ajax_nopriv_em_capture_payment accepts client-supplied transaction ID, amount, and payment status values at face value, with no PayPal API verification, no nonce, and no capability check - meaning any HTTP client can POST fabricated payment confirmation data and receive a fully authenticated QR-coded ticket via email. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical skill, making it a meaningful financial fraud risk for any site using this plugin for paid events.
Technical ContextAI
The vulnerability resides in the capture_payment() method within the Event Monster WordPress plugin's AJAX class (class-event-monster-ajax.php), registered under the wp_ajax_nopriv_ hook prefix - WordPress's mechanism for exposing AJAX endpoints to unauthenticated users. CWE-345 (Insufficient Verification of Data Authenticity) is the root cause: the server accepts payment metadata (transaction ID, amount, status) entirely from the client request body rather than querying the PayPal API to independently confirm whether a transaction occurred, what amount was charged, and what its current status is. This is a classic server-side trust-of-client-data flaw. Compounding the issue is the absence of both a WordPress nonce (which would prevent cross-site request forgery and add a layer of session binding) and any capability check (which would restrict the endpoint to authorized users). The referenced source lines at L844, L890, and L92 of the plugin's AJAX class in version 2.0.1 confirm the vulnerable code path in the plugin repository.
RemediationAI
An upstream fix has been committed to the WordPress plugin repository as changeset 3554570 (plugins.trac.wordpress.org/changeset?old=3554570%40event-monster&new=3554570%40event-monster); however, the exact released plugin version number that includes this fix is not independently confirmed from the available input data - site administrators should update to the latest available version of Event Monster from the WordPress plugin directory and verify the installed version is newer than 2.1.0. As a compensating control while patching, administrators can deactivate the Event Monster plugin entirely if paid ticketing is not actively required, or use a WAF rule (such as Wordfence's firewall) to block POST requests to wp-admin/admin-ajax.php targeting action=em_capture_payment. Restricting admin-ajax.php access to authenticated sessions only would break legitimate unauthenticated AJAX features across WordPress and is not recommended as a blanket mitigation. Wordfence customers should verify their firewall rules cover this specific action parameter. The Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/daddfbd2-cff4-4caa-bbdc-9945a635a1d6 should be consulted for the latest patch version confirmation.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34931
GHSA-5vph-83m8-9635