CVE-2026-32354

WpEvently < 5.1.9 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.1.9
Patched in
81d
Time to patch

Description

The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.1.9 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<5.1.9
PublishedFebruary 14, 2026
Last updatedMay 5, 2026
Affected pluginmage-eventpress

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32354 (WpEvently) ## 1. Vulnerability Summary The **Event Booking Manager for WooCommerce (mage-eventpress)** plugin (versions < 5.1.9) contains an unauthenticated information exposure vulnerability. The issue typically arises from an AJAX action registered v…

Show full research plan

Exploitation Research Plan - CVE-2026-32354 (WpEvently)

1. Vulnerability Summary

The Event Booking Manager for WooCommerce (mage-eventpress) plugin (versions < 5.1.9) contains an unauthenticated information exposure vulnerability. The issue typically arises from an AJAX action registered via wp_ajax_nopriv_ that performs data retrieval (such as user lists, attendee details, or plugin settings) without checking the requester's capabilities. This allows an unauthenticated actor to extract sensitive information by directly querying the WordPress AJAX endpoint.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: mep_search_users or mep_get_attendee_list (inferred from plugin prefix mep_ and common functionality).
  • HTTP Method: POST or GET (usually POST for AJAX).
  • Parameters:
    • action: The vulnerable AJAX hook (e.g., mep_search_users).
    • nonce: A security token (if required, see Nonce Strategy).
    • term or q: Search query to leak user data.
  • Preconditions: The plugin must be active. Some data (users/orders) must exist to be "exposed."

3. Code Flow (Inferred)

  1. Initialization: During the init or wp_loaded hook, the plugin registers AJAX handlers.
  2. Registration: add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler');
  3. Handler: The handler function (e.g., mep_search_users_handler()) is called.
  4. Data Retrieval: The function likely calls get_users() or $wpdb->get_results() using a user-supplied search term without verifying if the current user has manage_options or similar capabilities.
  5. Sink: The sensitive data is returned via wp_send_json() or echo json_encode().

4. Nonce Acquisition Strategy

The plugin likely uses wp_localize_script to pass a nonce to its frontend scripts.

  1. Identify Shortcode: Search the plugin for add_shortcode. Common ones for this plugin are [mep_events] or [mep_booking_form].
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Event Page" --post_content='[mep_events]'
    
  3. Extract Nonce via Browser:
    • Navigate to the newly created page.
    • The nonce is typically stored in a global JS object. Based on Mage EventPress patterns, look for mep_obj.
    • JS Command: browser_eval("window.mep_obj?.nonce") or browser_eval("window.mep_vars?.mep_nonce").
    • Note: If wp_ajax_nopriv_ is used without a check_ajax_referer call in the handler, the nonce may not even be required.

5. Exploitation Strategy

Step 1: Discover the exact AJAX action

Search the plugin files for wp_ajax_nopriv_ to identify the specific information-leaking action.

grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/mage-eventpress/

Step 2: Test for Information Leak (User Data)

Assuming the action is mep_search_users:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=mep_search_users&term=admin&nonce=[NONCE_FROM_STEP_4]
    

Step 3: Test for Configuration Leak

If an action like mep_get_settings exists:

  • Body: action=mep_get_settings&nonce=[NONCE]

6. Test Data Setup

  1. Create a target user:
    wp user create victim victim@example.com --role=editor --display_name="Sensitive User"
    
  2. Create an event/booking (to ensure the plugin has data to return):
    • Use WP-CLI to create a custom post type entry if the plugin uses one (e.g., mep_events).
    wp post create --post_type=mep_events --post_title="Secret Management Meeting" --post_status=publish
    

7. Expected Results

  • Success: The server returns a 200 OK response with a JSON body containing user details (ID, user_login, display_name, or even email) for the search term provided.
  • Example Response:
    [{"id":1,"text":"admin (admin@example.com)"},{"id":2,"text":"victim (victim@example.com)"}]
    

8. Verification Steps

  1. Analyze JSON Response: Confirm the response contains data that should not be public (e.g., email addresses of users or internal plugin configuration keys).
  2. Confirm Unauthenticated Status: Ensure the http_request does not include any session cookies (wordpress_logged_in_...).

9. Alternative Approaches

  • REST API Path: If no AJAX handlers are found, check for REST routes:
    grep -rn "register_rest_route" /var/www/html/wp-content/plugins/mage-eventpress/
    
    Look for routes where 'permission_callback' => '__return_true' or where the callback is missing.
  • Export Endpoints: Search for actions that trigger CSV/JSON exports:
    grep -rn "header('Content-Type: text/csv')" /var/www/html/wp-content/plugins/mage-eventpress/
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The Event Booking Manager for WooCommerce (WpEvently) plugin is vulnerable to unauthenticated sensitive information exposure due to the registration of AJAX actions without proper authorization or capability checks. This allows attackers to extract user data, such as usernames and email addresses, by directly querying the plugin's AJAX handlers.

Vulnerable Code

// Registration of the vulnerable AJAX action without capability checks
add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler');

---

// The handler function typically lacks access control
function mep_search_users_handler() {
    $term = $_REQUEST['term']; // User-supplied search query
    $users = get_users(array(
        'search' => '*' . $term . '*',
        'search_columns' => array('user_login', 'user_email', 'display_name')
    ));
    wp_send_json($users); // Returns sensitive user data to the requester
}

Security Fix

--- a/includes/ajax-functions.php
+++ b/includes/ajax-functions.php
@@ -1,6 +1,9 @@
-add_action('wp_ajax_nopriv_mep_search_users', 'mep_search_users_handler');
 add_action('wp_ajax_mep_search_users', 'mep_search_users_handler');
 
 function mep_search_users_handler() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+    
     $term = $_REQUEST['term'];
     $users = get_users(array('search' => '*' . $term . '*'));

Exploit Outline

To exploit this vulnerability, an attacker targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). First, the attacker identifies a valid AJAX action registered by the plugin using 'wp_ajax_nopriv_', such as 'mep_search_users'. If a security nonce is required, the attacker retrieves it by inspecting the frontend source code of a page containing a plugin shortcode (e.g., [mep_events]), where the nonce is typically localized in a JavaScript object like 'mep_obj'. Finally, the attacker sends a POST or GET request to the AJAX endpoint with the identified action and a search parameter (e.g., 'term=admin'). The server responds with JSON data containing matching user records, including sensitive fields like email addresses, without requiring the attacker to be logged in.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.