CVE-2026-13039 in Eventin Plugin
Summary
by MITRE • 07/10/2026
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The Eventin WordPress plugin presents a critical authorization bypass vulnerability that exploits a regression in its payment processing logic, affecting versions 4.0.26 through 4.1.15. This flaw resides within the payment_complete() function of the PaymentController.php file where proper user authentication verification is absent, allowing unauthenticated attackers to manipulate ticket order statuses without legitimate payment. The vulnerability stems from insufficient authorization checks that should normally validate user credentials before permitting payment completion actions, creating a pathway for malicious actors to bypass the entire payment workflow.
The technical implementation of this vulnerability leverages the exposed wp_rest nonce mechanism which is embedded within every public event page, eliminating the need for any WordPress session or authentication credentials. Attackers can fabricate SureCart checkout IDs or FluentCart cart hashes to submit fake payment confirmations, effectively marking unpaid orders as completed and gaining unauthorized access to paid event features including QR-code attendee tickets and order confirmation emails. This represents a direct violation of standard security practices where the nonce validation should act as a protective barrier against unauthorized modifications to payment status, yet it fails to properly enforce authorization requirements.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables complete compromise of the plugin's ticketing system and revenue protection mechanisms. Unauthenticated attackers can systematically exploit this regression to gain paid event access for free, potentially resulting in significant financial losses for event organizers who rely on proper payment processing. The vulnerability's persistence through multiple releases indicates a critical oversight in quality assurance and regression testing processes, where previously identified security fixes were not properly maintained across version updates.
This authorization bypass vulnerability aligns with CWE-863 (Incorrect Authorization) and demonstrates characteristics consistent with ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) as attackers can leverage exposed nonces to impersonate legitimate payment processing activities. The regression nature of this flaw suggests inadequate change management procedures and insufficient automated security testing during the development lifecycle, allowing previously patched vulnerabilities to reemerge in subsequent releases. Organizations using affected versions should immediately implement mitigations including disabling the vulnerable endpoints, implementing additional authentication layers, or upgrading to patched versions that properly address the authorization verification gap.
The vulnerability's exposure through publicly accessible nonces represents a fundamental flaw in the plugin's security architecture, where client-side nonce generation and embedding creates an attack surface that can be exploited without any prior authentication. This pattern of nonce exposure violates best practices for secure web application design and demonstrates the critical importance of maintaining proper authorization boundaries even in seemingly simple payment processing functions. The fact that this vulnerability affects core booking functionality makes it particularly dangerous as it undermines the entire commercial value proposition of the plugin's event management features.