CVE-2026-40776

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) <= 4.1.8 - Missing Authorization

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

4.1.9

Patched in

Time to patch

Description

The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=4.1.8

PublishedApril 29, 2026

Last updatedMay 4, 2026

Affected pluginwp-event-solution

What Changed in the Fix

Changes introduced in v4.1.9

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v4.1.8

Browse source Download .zip

Patched v4.1.9

Browse source Download .zip

Research Plan

Unverified

( $handle, 'localized_data_obj', $localize_data );` This confirms the variable name. * *The "Unauthorized Action" (I:L)*: If the vulnerability is `I:L`, it's possible it's an action that *modifies* something. What if the action is `etn_dismiss_admin_notice`? Bu…

Show full research plan

( $handle, 'localized_data_obj', $localize_data );`
This confirms the variable name.

*   *The "Unauthorized Action" (I:L)*:
    If the vulnerability is `I:L`, it's possible it's an action that *modifies* something.
    What if the action is `etn_dismiss_admin_notice`?
    But the `Exporter` files are there...
    Okay, I will assume the `I:L` refers to the server-side impact of generating the export, or the CVSS is simply using the closest available vector for "Unauthenticated Action".

*   **Vulnerability Summary**: Missing Authorization in Eventin <= 4.1.8 allows unauthenticated users to trigger sensitive AJAX actions.
*   **Attack Vector**: `admin-ajax.php`.
*   **Nonce**: Extracted from `window.localized_data_obj.etn_nonce` on any frontend page.
*   **Payload**: `action=etn_attendee_csv_export&security=[NONCE]&event_id=[ID]`.

*   *Preconditions:*
    - An event must exist.
    - An attendee must be registered for that event (to see the data leak).

*   *Steps:*
    1. Create event `etn-event`.
    2. Create attendee `etn-attendee` for the event.
    3. Extract nonce from frontend

Research Findings

Static analysis — not yet PoC-verified

Summary

The Eventin plugin for WordPress is vulnerable to unauthorized data exposure due to missing capability checks on its attendee export AJAX actions. This allows unauthenticated attackers to export sensitive attendee lists and registration data by exploiting administrative nonces that are inadvertently exposed on the frontend of the site.

Vulnerable Code

// base/Enqueue/register.php:89-93
// Administrative nonces are localized to all scripts, including frontend ones.
public function set_localize( $handle ) {
    $localize_data = etn_get_locale_data();
    wp_localize_script( $handle, 'localized_data_obj', $localize_data );
}

---

// base/Exporter/CSVExporter.php:100-104
// The exporter class handles the data output but does not verify the requester's capabilities.
public function export_csv() {
    $this->send_headers();
    $this->send_content( $this->export_columns() . $this->export_rows() );
    die();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.8/base/Enqueue/admin.php /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.9/base/Enqueue/admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.8/base/Enqueue/admin.php	2026-03-17 11:12:52.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.9/base/Enqueue/admin.php	2026-04-08 10:11:10.000000000 +0000
@@ -134,7 +134,7 @@
         wp_localize_script( 'etn-onboard-index', 'localized_data_obj', $localize_data );
         wp_enqueue_style( 'etn-icon' );
         // Enque block editor style in events create and edit pages only
-        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) {
+        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- admin script enqueue condition; page param compared to a literal string only.
             wp_enqueue_style( 'wp-block-editor' );
         }
     }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.8/base/Enqueue/register.php /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.9/base/Enqueue/register.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.8/base/Enqueue/register.php	2026-03-17 11:12:52.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-event-solution/4.1.9/base/Enqueue/register.php	2026-04-08 10:11:10.000000000 +0000
@@ -194,7 +194,7 @@
         }
 
         // Parse the URL
-        $url_parts = parse_url( $url );
+        $url_parts = wp_parse_url( $url );
 
         // Check if the URL has a path component
         if ( ! isset( $url_parts['path'] ) ) {
@@ -204,7 +204,7 @@
         $clean_path = str_replace( '.js', '.asset.php', $url_parts['path'] );
 
         // Get the file path from the URL path
-        $file_path = $_SERVER['DOCUMENT_ROOT'] . $clean_path;
+        $file_path = ( isset( $_SERVER['DOCUMENT_ROOT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['DOCUMENT_ROOT'] ) ) : '' ) . $clean_path; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- DOCUMENT_ROOT is a trusted server variable used only to build a file path, not output or stored.
 
         // Check if the file exists
         if ( ! file_exists( $file_path ) ) {

Exploit Outline

To exploit this vulnerability, an attacker first visits the frontend of the target WordPress site to locate the `localized_data_obj` JavaScript variable, which contains a valid administrative nonce (`etn_nonce`). The attacker then constructs an AJAX request to `admin-ajax.php` using the `action` parameter set to `etn_attendee_csv_export` (or other export actions), providing the stolen nonce in the `security` parameter and a specific `event_id`. Since the backend handler for this action lacks a `current_user_can()` check, it will process the request and return a CSV file containing sensitive attendee data, even for unauthenticated requests.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/dfb7636b-2f4d-4a82-bd63-fea32668530e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database