[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fy1jZ_xjThjZqcRpZRq4pZs1bt-M-JPKNLQlZ5iPWAi0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":9,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"source_links":36},"CVE-2026-4109","eventin-events-calendar-event-booking-ticket-registration-ai-powered-missing-authorization-to-authenticated-subscriber-o","Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) \u003C= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure","The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.","wp-event-solution",null,"\u003C=4.1.8","4.1.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-13 18:46:40","2026-04-14 07:43:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F87f82d5d-d89a-440d-8c23-ace5160a0739?source=api-prod",1,[22,23,24,25],"base\u002FEnqueue\u002Fadmin.php","base\u002FEnqueue\u002Fregister.php","base\u002FExporter\u002FCSVExporter.php","base\u002FExporter\u002FJsonExporter.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-4109 - Eventin Order Information Exposure\n\n## 1. Vulnerability Summary\nThe **Eventin** plugin (versions \u003C= 4.1.8) contains a **Missing Authorization** vulnerability within its REST API implementation. Specifically, the `get_item_permissions_check()` function (likely within a class extending `WP_REST_Controller` for orders or attendees) fails to properly restrict access to order data. This allows any authenticated user, including those with the **Subscriber** role, to retrieve sensitive order details—including Customer PII (Name, Email, Phone)—by directly querying the REST API and iterating through Order IDs.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API.\n*   **Likely Route:** `\u002Fwp-json\u002Feventin\u002Fv1\u002Forders\u002F(?P\u003Cid>[\\d]+)` or `\u002Fwp-json\u002Feventin\u002Fv1\u002Fattendees\u002F(?P\u003Cid>[\\d]+)` (Namespace: `eventin\u002Fv1` inferred from standard plugin architecture).\n*   **HTTP Method:** `GET`.\n*   **Authentication:** Authenticated (Subscriber level or higher).\n*   **Payload:** Path parameter containing the target `order_id`.\n*   **Preconditions:** At least one order\u002Fbooking must exist in the system for data to be exposed.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers REST routes during the `rest_api_init` hook. One of these routes handles order retrieval.\n2.  **Request Initiation:** A Subscriber user sends a `GET` request to `\u002Fwp-json\u002Feventin\u002Fv1\u002Forders\u002F\u003CID>`.\n3.  **Permission Check:** The WordPress REST API calls the `permission_callback` defined for that route. In this plugin, it points to `get_item_permissions_check()`.\n4.  **Vulnerable Logic:** Inside `get_item_permissions_check()`, the code likely checks for a generic capability like `read` or simply verifies `is_user_logged_in()`, rather than checking if the user is an admin or if the order belongs specifically to the requesting user.\n5.  **Information Disclosure:** Because the check passes for Subscribers, the controller proceeds to `get_item()`, fetches the order data (which includes PII), and returns it in the JSON response.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a `_wpnonce` parameter or `X-WP-Nonce` header for authenticated requests to prevent CSRF, even for some `GET` requests if the session is cookie-based.\n\n1.  **Identify Trigger:** The `base\u002FEnqueue\u002Fadmin.php` file enqueues several scripts like `etn-app-index` and `etn-dashboard`. These typically load the WordPress REST environment.\n2.  **Create Page:** A Subscriber user can access the standard WordPress dashboard (`\u002Fwp-admin\u002Findex.php`).\n3.  **Execute Extraction:**\n    *   Navigate to `\u002Fwp-admin\u002Findex.php` as the Subscriber.\n    *   The REST nonce is globally available in the `wpApiSettings` object on most admin pages or can be extracted from the localized data of the plugin's scripts.\n    *   **JS Command:** `browser_eval(\"wpApiSettings.nonce\")` or `browser_eval(\"localized_data_obj.nonce\")` (based on `etn_get_locale_data()` seen in `base\u002FEnqueue\u002Fadmin.php`).\n4.  **Action String:** The nonce action used for the REST API is always `wp_rest`.\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Log in as a Subscriber user.\n2.  **Nonce Retrieval:** Use `browser_eval` to get the `wp_rest` nonce.\n3.  **Discovery:** Identify the REST namespace. \n    *   Request `GET \u002Fwp-json\u002F` and look for namespaces containing \"eventin\".\n4.  **Targeting:** Access the order endpoint.\n    *   **Request Method:** `GET`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Feventin\u002Fv1\u002Forders\u002F1` (Increment IDs to find data).\n    *   **Headers:** \n        *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n        *   `Cookie: [SUBSCRIBER_COOKIES]`\n5.  **Iteration:** Use a script or loop to iterate IDs from 1 to 100.\n\n## 6. Test Data Setup\nTo demonstrate the PII exposure, the environment must contain an order:\n1.  **Install Eventin:** Ensure the plugin (v4.1.8) is active.\n2.  **Create Event:** Use WP-CLI to create an event post type.\n    *   `wp post create --post_type=etn-event --post_title=\"Sensitive Event\" --post_status=publish`\n3.  **Create Order:** As Admin, create a manual booking\u002Forder or use the front-end to book a ticket for a dummy user \"Victim User\" with email `victim@example.com` and phone `555-0199`.\n4.  **Create Attacker:** Create a user with the Subscriber role.\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n*   **Successful Exploit:** The server returns a `200 OK` response with a JSON body containing fields like `customer_name`, `customer_email`, `customer_phone`, and `order_total` for an order ID that does *not* belong to the Subscriber.\n*   **Vulnerable Response Snippet:**\n    ```json\n    {\n      \"id\": 1,\n      \"order_details\": {\n        \"full_name\": \"Victim User\",\n        \"email\": \"victim@example.com\",\n        \"phone\": \"555-0199\"\n      }\n    }\n    ```\n\n## 8. Verification Steps\n1.  **HTTP Check:** Confirm the response code is `200` and the PII is present in the JSON output.\n2.  **Database Correlation:** Verify the returned data matches the entries in the `wp_posts` (post_type `etn-order` or similar) and `wp_postmeta` tables.\n    *   `wp db query \"SELECT * FROM wp_postmeta WHERE post_id = 1\"`\n3.  **Capability Check:** Confirm the \"attacker\" user indeed only has the `subscriber` role and should not normally see other users' orders.\n    *   `wp user get attacker --field=roles`\n\n## 9. Alternative Approaches\n*   **Alternative Endpoints:** If `\u002Forders\u002F` is not the route, check `\u002Fattendees\u002F` or `\u002Ftickets\u002F`. The core issue is the `get_item_permissions_check` in the controller handling any booking-related data.\n*   **Export Functionality:** Check if the CSV\u002FJSON exporters defined in `base\u002FExporter\u002F` are reachable via an unprivileged AJAX or REST action. The description specifically mentions `get_item_permissions_check()`, which is strongly associated with the REST API.\n*   **Public REST:** Check if the endpoint allows access even without a nonce (though authenticated) if the `permission_callback` returns `true`.","The Eventin plugin for WordPress (versions up to 4.1.8) fails to perform adequate authorization checks within its REST API controller for order retrieval. This flaw allows authenticated users, including those with Subscriber-level roles, to access sensitive customer PII such as names, email addresses, and phone numbers by iterating through order IDs via the API.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fadmin.php\t2026-03-17 11:12:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fadmin.php\t2026-04-08 10:11:10.000000000 +0000\n@@ -134,7 +134,7 @@\n         wp_localize_script( 'etn-onboard-index', 'localized_data_obj', $localize_data );\n         wp_enqueue_style( 'etn-icon' );\n         \u002F\u002F Enque block editor style in events create and edit pages only\n-        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) {\n+        if ( isset( $_GET['page'] ) && $_GET['page'] === 'eventin' ) { \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- admin script enqueue condition; page param compared to a literal string only.\n             wp_enqueue_style( 'wp-block-editor' );\n         }\n     }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fregister.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fregister.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.8\u002Fbase\u002FEnqueue\u002Fregister.php\t2026-03-17 11:12:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-event-solution\u002F4.1.9\u002Fbase\u002FEnqueue\u002Fregister.php\t2026-04-08 10:11:10.000000000 +0000\n@@ -194,7 +194,7 @@\n         }\n \n         \u002F\u002F Parse the URL\n-        $url_parts = parse_url( $url );\n+        $url_parts = wp_parse_url( $url );\n \n         \u002F\u002F Check if the URL has a path component\n         if ( ! isset( $url_parts['path'] ) ) {\n@@ -204,7 +204,7 @@\n         $clean_path = str_replace( '.js', '.asset.php', $url_parts['path'] );\n \n         \u002F\u002F Get the file path from the URL path\n-        $file_path = $_SERVER['DOCUMENT_ROOT'] . $clean_path;\n+        $file_path = ( isset( $_SERVER['DOCUMENT_ROOT'] ) ? sanitize_text_field( wp_unslash( $_SERVER['DOCUMENT_ROOT'] ) ) : '' ) . $clean_path; \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput -- DOCUMENT_ROOT is a trusted server variable used only to build a file path, not output or stored.\n \n         \u002F\u002F Check if the file exists\n         if ( ! file_exists( $file_path ) ) {","1. Log in to the WordPress site as an authenticated user (e.g., Subscriber role).\n2. Obtain a valid REST API nonce from the WordPress dashboard, typically available in the 'wpApiSettings.nonce' JavaScript object.\n3. Identify a target order ID by observing existing bookings or guessing a numerical sequence.\n4. Send an authenticated GET request to the Eventin REST API endpoint: '\u002Fwp-json\u002Feventin\u002Fv1\u002Forders\u002F\u003CID>', passing the nonce in the 'X-WP-Nonce' header.\n5. The API will respond with a JSON object containing sensitive PII for the order, including full_name, email, and phone, regardless of whether the order belongs to the requesting user.\n6. Automate this process by iterating through numerical IDs to extract a full database of customer information.","gemini-3-flash-preview","2026-04-16 15:52:36","2026-04-16 15:53:46",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","4.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags\u002F4.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-event-solution.4.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-event-solution\u002Ftags"]