Description
Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.
Published: 2026-05-04
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy PayPal Events & Tickets plugin for WordPress versions prior to 1.4 contains an information disclosure flaw in the QR‑code scanning endpoint. An unauthenticated attacker can iterate over WordPress post IDs via scan_qr.php to enumerate and retrieve all customer order records stored in the database, without authentication or prior knowledge of specific order IDs.

Affected Systems

WordPress sites that have installed the Easy PayPal Events & Tickets plugin version 1.3 or earlier. The plugin is developed by Scott Paterson.

Risk and Exploitability

The CVSS score of 8.2 indicates a high impact vulnerability, but the EPSS score of < 1% shows a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw simply by sending HTTP requests to the scan_qr.php endpoint without any prior knowledge or credentials. The lack of authentication control and the ability to iterate over post IDs make exploitation straightforward.

Generated by OpenCVE AI on May 13, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Easy PayPal Events & Tickets plugin to remove the vulnerable endpoint immediately.
  • If customer order data remains in the database, delete the plugin’s tables or export and safely purge the data to prevent accidental disclosure.
  • Configure the web server or .htaccess to block or restrict access to scan_qr.php and any other plugin endpoints that could expose information.
  • Maintain a current backup of the WordPress installation to restore the system if corruption occurs during cleanup.

Generated by OpenCVE AI on May 13, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18. Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.
Title Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint Easy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code Endpoint
References

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress
Vendors & Products Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.
Title Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Scott Paterson Easy-paypal-events-tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-13T15:11:00.480Z

Reserved: 2026-04-20T16:07:47.312Z

Link: CVE-2026-41471

cve-icon Vulnrichment

Updated: 2026-05-04T18:24:58.406Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T18:16:29.447

Modified: 2026-05-13T16:16:45.200

Link: CVE-2026-41471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:30:06Z

Weaknesses