[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0vBqANK9Rg_EuByBdhzRo5caqiiJlvKZtR9_xiWTaZM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-40776","eventin-event-calendar-event-registration-tickets-booking-ai-powered-missing-authorization","Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) \u003C= 4.1.8 - Missing Authorization","The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-event-solution",null,"\u003C=4.1.8","4.1.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-29 00:00:00","2026-05-04 13:58:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdfb7636b-2f4d-4a82-bd63-fea32668530e?source=api-prod",6,[22,23,24,25],"base\u002FEnqueue\u002Fadmin.php","base\u002FEnqueue\u002Fregister.php","base\u002FExporter\u002FCSVExporter.php","base\u002FExporter\u002FJsonExporter.php","researched",false,3,"( $handle, 'localized_data_obj', $localize_data );`\n        This confirms the variable name.\n\n    *   *The \"Unauthorized Action\" (I:L)*:\n        If the vulnerability is `I:L`, it's possible it's an action that *modifies* something.\n        What if the action is `etn_dismiss_admin_notice`?\n        But the `Exporter` files are there...\n        Okay, I will assume the `I:L` refers to the server-side impact of generating the export, or the CVSS is simply using the closest available vector for \"Unauthenticated Action\".\n\n    *   **Vulnerability Summary**: Missing Authorization in Eventin \u003C= 4.1.8 allows unauthenticated users to trigger sensitive AJAX actions.\n    *   **Attack Vector**: `admin-ajax.php`.\n    *   **Nonce**: Extracted from `window.localized_data_obj.etn_nonce` on any frontend page.\n    *   **Payload**: `action=etn_attendee_csv_export&security=[NONCE]&event_id=[ID]`.\n\n    *   *Preconditions:*\n        - An event must exist.\n        - An attendee must be registered for that event (to see the data leak).\n\n    *   *Steps:*\n        1. Create event `etn-event`.\n        2. Create attendee `etn-attendee` for the event.\n        3. Extract nonce from frontend","The Eventin plugin for WordPress is vulnerable to unauthorized data exposure due to missing capability checks on its attendee export AJAX actions. This allows unauthenticated attackers to export sensitive attendee lists and registration data by exploiting administrative nonces that are inadvertently exposed on the frontend of the site.","\u002F\u002F base\u002FEnqueue\u002Fregister.php:89-93\n\u002F\u002F Administrative nonces are localized to all scripts, including frontend ones.\npublic function set_localize( $handle ) {\n    $localize_data = etn_get_locale_data();\n    wp_localize_script( $handle, 'localized_data_obj', $localize_data );\n}\n\n---\n\n\u002F\u002F base\u002FExporter\u002FCSVExporter.php:100-104\n\u002F\u002F The exporter class handles the data output but does not verify the requester's capabilities.\npublic function export_csv() {\n    $this->send_headers();\n    $this->send_content( $this->export_columns() . $this->export_rows() );\n    die();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fadmin.php\t2026-03-17 11:12:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fadmin.php\t2026-04-08 10:11:10.000000000 +0000\n@@ -134,7 +134,7 @@\n         wp_localize_script( 'etn-onboard-index', 'localized_data_obj', $localize_data );\n         wp_enqueue_style( 'etn-icon' );\n         \u002F\u002F Enque block editor style in events create and edit pages only\n-        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) {\n+        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) { \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- admin script enqueue condition; page param compared to a literal string only.\n             wp_enqueue_style( 'wp-block-editor' );\n         }\n     }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fregister.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fregister.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fregister.php\t2026-03-17 11:12:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fregister.php\t2026-04-08 10:11:10.000000000 +0000\n@@ -194,7 +194,7 @@\n         }\n \n         \u002F\u002F Parse the URL\n-        $url_parts = parse_url( $url );\n+        $url_parts = wp_parse_url( $url );\n \n         \u002F\u002F Check if the URL has a path component\n         if ( ! isset( $url_parts['path'] ) ) {\n@@ -204,7 +204,7 @@\n         $clean_path = str_replace( '.js', '.asset.php', $url_parts['path'] );\n \n         \u002F\u002F Get the file path from the URL path\n-        $file_path = $_SERVER['DOCUMENT_ROOT'] . $clean_path;\n+        $file_path = ( isset( $_SERVER['DOCUMENT_ROOT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['DOCUMENT_ROOT'] ) ) : '' ) . $clean_path; \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- DOCUMENT_ROOT is a trusted server variable used only to build a file path, not output or stored.\n \n         \u002F\u002F Check if the file exists\n         if ( ! file_exists( $file_path ) ) {","To exploit this vulnerability, an attacker first visits the frontend of the target WordPress site to locate the `localized_data_obj` JavaScript variable, which contains a valid administrative nonce (`etn_nonce`). The attacker then constructs an AJAX request to `admin-ajax.php` using the `action` parameter set to `etn_attendee_csv_export` (or other export actions), providing the stolen nonce in the `security` parameter and a specific `event_id`. Since the backend handler for this action lacks a `current_user_can()` check, it will process the request and return a CSV file containing sensitive attendee data, even for unauthenticated requests.","gemini-3-flash-preview","2026-05-04 18:00:39","2026-05-04 18:02:16",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags"]