Description
Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.
Published: 2026-05-04
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can use the QR‑code scanning endpoint to enumerate all customer order records by iterating sequential WordPress post IDs. The plugin fails to enforce any authentication, resulting in the disclosure of complete order data stored in the database.

Affected Systems

WordPress sites that have installed the Easy PayPal Events & Tickets plugin version 1.3 or earlier. The plugin is developed by Scott Paterson.

Risk and Exploitability

The CVSS score of 8.2 indicates a high impact vulnerability, but no EPSS score is provided, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw simply by sending HTTP requests to the scan_qr.php endpoint without any prior knowledge or credentials. The lack of authentication control and the ability to iterate over post IDs make exploitation straightforward.

Generated by OpenCVE AI on May 4, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Easy PayPal Events & Tickets plugin to remove the vulnerable endpoint immediately.
  • If customer order data remains in the database, delete the plugin’s tables or export and safely purge the data to prevent accidental disclosure.
  • Configure the web server or .htaccess to block or restrict access to scan_qr.php and any other plugin endpoints that could expose information.
  • Maintain a current backup of the WordPress installation to restore the system if corruption occurs during cleanup.

Generated by OpenCVE AI on May 4, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress
Vendors & Products Scott Paterson
Scott Paterson easy-paypal-events-tickets
Wordpress
Wordpress wordpress

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.
Title Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Scott Paterson Easy-paypal-events-tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T18:25:02.485Z

Reserved: 2026-04-20T16:07:47.312Z

Link: CVE-2026-41471

cve-icon Vulnrichment

Updated: 2026-05-04T18:24:58.406Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:29.447

Modified: 2026-05-04T18:16:29.447

Link: CVE-2026-41471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:46Z

Weaknesses