Eventin Event Calendar Event Registration Tickets Booking Ai Powered
Monthly
Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.
Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.
Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.
Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.