Description
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Published: 2026-04-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Apply Update
AI Analysis

Impact

The Eventin – Events Calendar plugin for WordPress has an improper capability check in the get_item_permissions_check() function in all releases up to and including 4.1.8. This flaw allows authenticated users with Subscriber-level access or higher to read arbitrary order data, exposing customer personally identifiable information such as name, email, and phone number. The weakness is categorized as Missing Authorization (CWE-862).

Affected Systems

The vulnerability affects the WordPress plugin Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) from the vendor arraytics, for all versions up to 4.1.8 inclusive. Any WordPress site that has this plugin installed at those versions is susceptible to unauthorized disclosure of order data.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity level. The EPSS score is not provided, and the issue is not listed in CISA's KEV catalog. Attackers must be authenticated as a Subscriber or higher role; based on the description, it is inferred that the attacker can iterate through order IDs to retrieve data, but no explicit statement confirms the complexity or time required. Since subscriber accounts are common, the risk of exploitation is considered moderate but still significant due to the potential exposure of sensitive customer information.

Generated by OpenCVE AI on April 14, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eventin plugin update (4.1.9 or newer).
  • Verify that the installed plugin version is newer than 4.1.8.
  • If an immediate update is not possible, restrict Subscriber and lower roles from accessing order APIs or adjust capabilities via a security plugin.
  • Review stored order records for exposed PII and consider sanitization or data redaction.
  • Monitor user logins and data access patterns for suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered)
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered)
Wordpress
Wordpress wordpress

Tue, 14 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Title Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Arraytics Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T13:00:42.566Z

Reserved: 2026-03-13T10:40:12.586Z

Link: CVE-2026-4109

cve-icon Vulnrichment

Updated: 2026-04-14T13:00:39.021Z

cve-icon NVD

Status : Received

Published: 2026-04-14T09:16:36.460

Modified: 2026-04-14T09:16:36.460

Link: CVE-2026-4109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:46Z

Weaknesses