Skip to main content

Eventin Event Calendar Event Registration Tickets Booking Ai Powered

2 CVEs product

Monthly

CVE-2026-13039 MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12924 MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy