Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress REST/AJAX endpoint with missing authorization (PR:N, AC:L, AV:N) discloses sensitive plugin data (C:H) without modifying state (I:N/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
AnalysisAI
Unauthenticated information disclosure in the Arraytics WP Event Solution (Eventin) WordPress plugin through version 4.1.8 allows remote attackers to bypass access control checks and read data they should not be permitted to access. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36985; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
WP Event Solution (commonly distributed as the 'Eventin' plugin by Arraytics, CPE cpe:2.3:a:arraytics:wp_event_solution) is a WordPress event-management plugin that exposes REST/AJAX endpoints for managing events, attendees, schedules, and related resources. The root cause is CWE-862 (Missing Authorization): one or more of these endpoints fail to verify the caller's capability or nonce before serving or acting on protected data, so any unauthenticated HTTP client can invoke them. This class of bug is endemic to WordPress plugins because authorization checks must be added explicitly to every callback registered via register_rest_route or admin-ajax handlers.
RemediationAI
Upgrade the WP Event Solution / Eventin plugin to the first release above 4.1.8 published by Arraytics; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability for the exact patched version, as the input data does not name a specific fixed build. Until the upgrade is applied, restrict access to the plugin's REST and admin-ajax endpoints (paths under /wp-json/eventin/ and admin-ajax.php actions prefixed with eventin_/wp_event_solution_) via a WAF rule or web-server ACL limited to authenticated administrators, accepting the trade-off that legitimate front-end event listings or attendee flows that rely on those endpoints may break. As a heavier compensating control, deactivate the plugin entirely on sites that do not actively need event management, which removes the attack surface but disables event pages.
More in Wp Event Solution
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36985
GHSA-4vf2-hvg4-5qq2