Description
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Eventin plugin contains a broken access control flaw where user authentication is not verified before performing create, modify, or delete operations on event data. This vulnerability allows an attacker with no credentials to gain unauthorized access to privileged event functions, potentially leading to data loss, defacement, or exposure of sensitive event information. The weakness is classified as CWE-862, improper authorization handling.

Affected Systems

The flaw affects all installations of the WordPress Eventin Plugin provided by Arraytics:WP Event Solution that are running version 4.1.8 or earlier, irrespective of the underlying WordPress core version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact over the confidentiality and integrity of event data. The EPSS score is below 1%, suggesting that real-world exploitation has been limited or not observed yet, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves unauthenticated HTTP requests to the plugin's API endpoints; an attacker can craft requests to trigger the privileged actions without authentication. The lack of access checks lowers the barrier for exploitation, but the low EPSS indicates it has not yet attracted widespread attacks.

Generated by OpenCVE AI on June 18, 2026 at 00:56 UTC.

Remediation

Vendor Solution

Update the WordPress Eventin Plugin to the latest available version (at least 4.1.9).


OpenCVE Recommended Actions

  • Apply the latest WordPress Eventin Plugin update (4.1.9 or newer) to fix the access control flaw.
  • Configure a web-application firewall or similar controls to block unauthenticated requests to the plugin's administrative URLs and API endpoints.
  • Review the site's role-based access control and ensure that only users with the appropriate permissions can manage events via the plugin; remove or restrict default or unused accounts that may have unnecessary access.

Generated by OpenCVE AI on June 18, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics wp Event Solution
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics wp Event Solution
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
Title WordPress Eventin plugin <= 4.1.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Arraytics Wp Event Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:11:14.673Z

Reserved: 2026-04-15T09:20:36.793Z

Link: CVE-2026-40776

cve-icon Vulnrichment

Updated: 2026-06-16T14:09:08.446Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:50.347

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:31Z

Weaknesses