Description
Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
Published: 2026-05-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy PayPal Events & Tickets WordPress plugin up to version 1.3 contains a hardcoded authentication bypass in its QR code scanning routine. An attacker who provides the string 'test' as a hash value can trick the plugin into skipping real hash verification. This allows unauthenticated remote attackers to reach the add_wpeevent_button_qr action and obtain detailed order information such as PayPal transaction identifiers, customer email addresses, purchase amounts, and ticket metadata. The vulnerability can be used to harvest confidential order data from any site that has the plugin installed and has not removed or updated it.

Affected Systems

All WordPress sites running Easy PayPal Events & Tickets version 1.3 or earlier are affected. The plugin has been officially closed as of March 18 2026, but legacy installations that have not been removed remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity event. EPSS data is not available, so exploitation likelihood cannot be quantified from that metric, and the flaw is not listed in the CISA KEV catalog. Given that the vulnerable endpoint is accessible via a standard HTTP request without authentication, remote attackers can exploit the flaw from the internet if the site is reachable. The attack vector is inferred to be remote, command-and-control style, and exploitation requires only knowledge of the plugin’s endpoint and a target post ID.

Generated by OpenCVE AI on May 4, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy PayPal Events & Tickets to a version newer than 1.3 or uninstall the plugin if it is no longer needed.
  • If upgrading is not immediately possible, block access to the vulnerable QR code scanning endpoint by restricting requests to 'admin-ajax.php?action=add_wpevent_button_qr' using your web server or CMS settings.
  • Configure a Web Application Firewall or firewall rule to detect and block requests containing the hash parameter set to 'test' or targeting the add_wpevent_button_qr action.

Generated by OpenCVE AI on May 4, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress
Vendors & Products Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
Title Easy PayPal Events & Tickets 1.3 Authentication Bypass via QR Code Scanning
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Scott Paterson Easy-paypal-events-tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T19:03:16.035Z

Reserved: 2026-03-16T18:11:41.757Z

Link: CVE-2026-32834

cve-icon Vulnrichment

Updated: 2026-05-04T19:02:50.688Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:27.223

Modified: 2026-05-04T18:16:27.223

Link: CVE-2026-32834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:47Z

Weaknesses