Description
Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
Published: 2026-05-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hard‑coded authentication bypass in its QR code scanning feature that allows unauthenticated remote attackers to bypass hash verification by providing the literal string "test" as the hash parameter. The vulnerability is exposed via the add_wpeevent_button_qr action and enables attackers to retrieve sensitive order data, including PayPal transaction IDs, customer email addresses, purchase amounts and ticket information for any order whose post ID can be guessed or known. This flaw represents a classic CWE‑798 error: reliance on hard‑coded credentials or values.

Affected Systems

All WordPress sites installed with Easy PayPal Events & Tickets version 1.3 or earlier are affected. The plugin has not received updates since version 1.3, leaving the hard‑coded bypass in place for any legacy installation.

Risk and Exploitability

The CVSS score of 8.7 flags the vulnerability as high severity, while the EPSS score of <1% indicates a very low probability of exploitation at present. It is not listed in the CISA KEV catalog. The vulnerable endpoint is reachable via a standard HTTP request without requiring authentication, so remote attackers can exploit the flaw over the Internet if the site is publicly reachable. The attack requires knowledge of the plugin’s endpoint URL and a valid or guessable post identifier, but no installation or privileged credentials are needed.

Generated by OpenCVE AI on May 13, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy PayPal Events & Tickets to version 1.4 or later to remove the hard‑coded hash check.
  • If upgrading is not possible or the plugin is no longer maintained, deactivate or uninstall the Easy PayPal Events & Tickets plugin to eliminate the risk entirely.
  • Apply a web application firewall (WAF) rule or restrict access via .htaccess to block or require authentication for requests to the add_wpeevent_button_qr action, effectively preventing unauthenticated users from reaching the vulnerable endpoint.

Generated by OpenCVE AI on May 13, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18. Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
Title Easy PayPal Events & Tickets 1.3 Authentication Bypass via QR Code Scanning Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress
Vendors & Products Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
Title Easy PayPal Events & Tickets 1.3 Authentication Bypass via QR Code Scanning
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Scott Paterson Easy-paypal-events-tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-13T15:10:47.918Z

Reserved: 2026-03-16T18:11:41.757Z

Link: CVE-2026-32834

cve-icon Vulnrichment

Updated: 2026-05-04T19:02:50.688Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T18:16:27.223

Modified: 2026-05-13T16:16:39.550

Link: CVE-2026-32834

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses