PatchSiren cyber security CVE debrief
CVE-2026-13039 arraytics CVE debrief
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This regression affects the payment_complete() function in PaymentController.php, allowing unauthenticated attackers to manipulate ticket orders. The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. Users of the Eventin plugin, particularly those with versions 4.0.26 to 4.1.15 installed, should be aware of this vulnerability and take necessary actions to protect their sites.
- Vendor
- arraytics
- Product
- Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the Eventin plugin for WordPress, particularly those with versions 4.0.26 to 4.1.15 installed, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin, monitoring for suspicious activity, and implementing additional security measures.
Technical summary
The vulnerability allows unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. This issue arises from a regression in the payment_complete() function of PaymentController.php, where the plugin fails to properly verify user authorization. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, making it easily accessible without needing a WordPress session or credentials.
Defensive priority
Medium priority due to the potential for unauthorized access and modification of event tickets and orders.
Recommended defensive actions
- Update the Eventin plugin to a version outside of the vulnerable range (4.0.26 to 4.1.15) if available.
- Monitor event ticket orders and payments for suspicious activity.
- Implement additional security measures such as IP blocking or rate limiting for the vulnerable endpoint.
- Verify the authenticity of users and their actions within the plugin.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This issue highlights the importance of thorough and persistent security fixes in plugin development.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:53.283Z and has not been modified since then.