Skip to main content

Event Monster CVE-2026-8608

| EUVDEUVD-2026-34931 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-06 security@wordfence.com GHSA-5vph-83m8-9635
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:30 vuln.today
CVE Published
Jun 06, 2026 - 00:16 nvd
MEDIUM 5.3

DescriptionCVE.org

The Event Monster - Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data - including transaction ID, amount, and payment status - without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.

AnalysisAI

Payment forgery in the Event Monster WordPress plugin (versions through 2.1.0) allows unauthenticated remote attackers to generate valid paid event tickets without completing any actual payment transaction. The AJAX handler wp_ajax_nopriv_em_capture_payment accepts client-supplied transaction ID, amount, and payment status values at face value, with no PayPal API verification, no nonce, and no capability check - meaning any HTTP client can POST fabricated payment confirmation data and receive a fully authenticated QR-coded ticket via email. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical skill, making it a meaningful financial fraud risk for any site using this plugin for paid events.

Technical ContextAI

The vulnerability resides in the capture_payment() method within the Event Monster WordPress plugin's AJAX class (class-event-monster-ajax.php), registered under the wp_ajax_nopriv_ hook prefix - WordPress's mechanism for exposing AJAX endpoints to unauthenticated users. CWE-345 (Insufficient Verification of Data Authenticity) is the root cause: the server accepts payment metadata (transaction ID, amount, status) entirely from the client request body rather than querying the PayPal API to independently confirm whether a transaction occurred, what amount was charged, and what its current status is. This is a classic server-side trust-of-client-data flaw. Compounding the issue is the absence of both a WordPress nonce (which would prevent cross-site request forgery and add a layer of session binding) and any capability check (which would restrict the endpoint to authorized users). The referenced source lines at L844, L890, and L92 of the plugin's AJAX class in version 2.0.1 confirm the vulnerable code path in the plugin repository.

RemediationAI

An upstream fix has been committed to the WordPress plugin repository as changeset 3554570 (plugins.trac.wordpress.org/changeset?old=3554570%40event-monster&new=3554570%40event-monster); however, the exact released plugin version number that includes this fix is not independently confirmed from the available input data - site administrators should update to the latest available version of Event Monster from the WordPress plugin directory and verify the installed version is newer than 2.1.0. As a compensating control while patching, administrators can deactivate the Event Monster plugin entirely if paid ticketing is not actively required, or use a WAF rule (such as Wordfence's firewall) to block POST requests to wp-admin/admin-ajax.php targeting action=em_capture_payment. Restricting admin-ajax.php access to authenticated sessions only would break legitimate unauthenticated AJAX features across WordPress and is not recommended as a blanket mitigation. Wordfence customers should verify their firewall rules cover this specific action parameter. The Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/daddfbd2-cff4-4caa-bbdc-9945a635a1d6 should be consulted for the latest patch version confirmation.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy