CVE-2026-45441

Event Booking Manager for WooCommerce <= 5.3.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.3.4
Patched in
8d
Time to patch

Description

The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.3.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.3.3
PublishedMay 26, 2026
Last updatedJune 2, 2026
Affected pluginmage-eventpress

What Changed in the Fix

Changes introduced in v5.3.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-45441 ## 1. Vulnerability Summary The **Event Booking Manager for WooCommerce** plugin (mage-eventpress) up to version 5.3.3 contains a **Missing Authorization** vulnerability. The plugin registers several AJAX actions intended for administrative use (such as…

Show full research plan

Exploitation Research Plan - CVE-2026-45441

1. Vulnerability Summary

The Event Booking Manager for WooCommerce plugin (mage-eventpress) up to version 5.3.3 contains a Missing Authorization vulnerability. The plugin registers several AJAX actions intended for administrative use (such as searching for icons or managing event data) but fails to implement proper capability checks (e.g., current_user_can()) or fails to restrict the hooks to authenticated administrative users.

Based on the provided source code in assets/admin/mkb-admin.js, the action mep_pick_icon is a primary candidate for this vulnerability, as it is used in an administrative context but appears to be callable via admin-ajax.php without session-specific security tokens (nonces) or verified authorization.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • HTTP Method: POST
  • Action: mep_pick_icon (confirmed in mkb-admin.js)
  • Vulnerable Parameter: query
  • Authentication Required: None (unauthenticated access is possible if wp_ajax_nopriv_ is used or if any logged-in user can trigger the wp_ajax_ hook without capability verification).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. **Frontend Trigger
Research Findings
Static analysis — not yet PoC-verified

Summary

The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the backend handler for the mep_pick_icon AJAX action. This allows unauthenticated attackers to perform unauthorized searches for icons and potentially interact with administrative components by sending requests to the admin-ajax.php endpoint.

Vulnerable Code

// assets/admin/mkb-admin.js line 15
    $(document).on('input', "input[name='mep_icon_search_box']", function () {
        var searchQuery = $(this).val();
        $.ajax({
            url: ajaxurl, // WordPress's AJAX URL (for admin-ajax.php)
            method: 'POST',
            data: {
                action: 'mep_pick_icon', // The action name to hook into
                query: searchQuery, // The search query
            },
            success: function (response) {
                // Clear the icon list container
                $('.fa-icon-lists').html('');
                console.log(response);
                $.each(response, function (className, title) {
                    $('.fa-icon-lists').append(`
					<div class="icon" title="${title}" data-icon="${className}">
						<i class="${className}"></i>
					</div>
				`);
                });
            },
        });
    });

Security Fix

Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4: admin
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1: Admin
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin: calendar-admin.css
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin: calendar-admin.js
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin/mep_analytics.css /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin/mep_analytics.css
--- /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin/mep_analytics.css	2025-10-31 02:21:42.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.3.4/assets/admin/mep_analytics.css	2026-05-21 08:27:48.000000000 +0000
@@ -1,7 +1,7 @@
 
 /* Filters Section */
 .mep-analytics-filters {
-    background-color: var(--mpev-white);
+    background-color: var(--color_white);
     padding: 20px;
     margin-bottom: 20px;
     border-radius: 5px;
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin: mkb-admin.js
Only in /home/deploy/wp-safety.org/data/plugin-versions/mage-eventpress/5.0.1/assets/admin: mp_admin_settings.js

Exploit Outline

The exploit involves interacting with the WordPress AJAX API without any authentication. An attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'mep_pick_icon' and an arbitrary 'query' string. Because the plugin fails to implement a capability check (e.g., current_user_can('manage_options')) or verify a security nonce within the corresponding PHP handler, the server will process the request and return data (such as icon lists) even for unauthenticated users, confirming the missing authorization vulnerability.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.