Skip to main content

WP Event Solution EUVDEUVD-2026-36985

| CVE-2026-40776 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-4vf2-hvg4-5qq2
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress REST/AJAX endpoint with missing authorization (PR:N, AC:L, AV:N) discloses sensitive plugin data (C:H) without modifying state (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:09 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.

AnalysisAI

Unauthenticated information disclosure in the Arraytics WP Event Solution (Eventin) WordPress plugin through version 4.1.8 allows remote attackers to bypass access control checks and read data they should not be permitted to access. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36985; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

WP Event Solution (commonly distributed as the 'Eventin' plugin by Arraytics, CPE cpe:2.3:a:arraytics:wp_event_solution) is a WordPress event-management plugin that exposes REST/AJAX endpoints for managing events, attendees, schedules, and related resources. The root cause is CWE-862 (Missing Authorization): one or more of these endpoints fail to verify the caller's capability or nonce before serving or acting on protected data, so any unauthenticated HTTP client can invoke them. This class of bug is endemic to WordPress plugins because authorization checks must be added explicitly to every callback registered via register_rest_route or admin-ajax handlers.

RemediationAI

Upgrade the WP Event Solution / Eventin plugin to the first release above 4.1.8 published by Arraytics; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability for the exact patched version, as the input data does not name a specific fixed build. Until the upgrade is applied, restrict access to the plugin's REST and admin-ajax endpoints (paths under /wp-json/eventin/ and admin-ajax.php actions prefixed with eventin_/wp_event_solution_) via a WAF rule or web-server ACL limited to authenticated administrators, accepting the trade-off that legitimate front-end event listings or attendee flows that rely on those endpoints may break. As a heavier compensating control, deactivate the plugin entirely on sites that do not actively need event management, which removes the attack surface but disables event pages.

Share

EUVD-2026-36985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy