PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41471 Scott Paterson CVE debrief

CVE-2026-41471 is a HIGH severity (CVSS 8.2) information disclosure vulnerability in the Easy PayPal Events & Tickets WordPress plugin, affecting versions prior to 1.4. The vulnerability resides in the `scan_qr.php` endpoint, which fails to implement authentication or authorization checks when processing QR code scan requests. Unauthenticated attackers can exploit sequential WordPress post ID enumeration to retrieve complete customer order records from the database without requiring prior knowledge of specific order identifiers. The vulnerability was published on 2026-05-04 and last modified on 2026-05-26. The issue is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Organizations using affected versions should upgrade to version 1.4 or later and implement additional access controls on sensitive endpoints.

Vendor
Scott Paterson
Product
easy-paypal-events-tickets
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-05-26
Advisory published
2026-05-04
Advisory updated
2026-05-26

Who should care

WordPress site administrators using Easy PayPal Events & Tickets plugin; e-commerce security teams; payment processing compliance officers; organizations subject to PCI-DSS or GDPR requirements handling customer order data

Technical summary

The `scan_qr.php` endpoint in Easy PayPal Events & Tickets plugin versions before 1.4 accepts sequential post IDs without authentication, enabling attackers to iterate through order records and extract customer data. The vulnerability allows complete database enumeration through predictable ID patterns.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Easy PayPal Events & Tickets plugin to version 1.4 or later
  • Implement IP-based rate limiting on QR code scanning endpoints
  • Add authentication requirements to order retrieval functionality
  • Review web server access logs for sequential ID enumeration patterns
  • Consider Web Application Firewall rules to block automated enumeration attempts

Evidence notes

Vulnerability confirmed via official NVD record with CVSS 4.0 vector. Advisory published by VulnCheck with technical disclosure via GitHub Gist. WordPress plugin repository confirms version 1.4 as remediation point.

Official resources

2026-05-04