Description
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Event Monster plugin’s AJAX handler accepts client‑supplied payment data such as transaction ID, amount and status without any server‑side verification or nonce checks, allowing an attacker to forge payment records, mark event bookings as completed and obtain valid QR code tickets and confirmation emails without paying. This flaw enables financial fraud and unauthorized event access.

Affected Systems

The vulnerability affects the Event Monster – Event Manager, Ticket Booking & Registration WordPress plugin from awordpresslife, versions up to and including 2.1.0. The plugin is widely used on WordPress sites that host events and sell tickets.

Risk and Exploitability

The CVSS score of 5.3 suggests medium severity. EPSS information is not available, so the exploitation likelihood is uncertain, but the attack vector is unauthenticated via the wp_ajax_nopriv_em_capture_payment endpoint, meaning anyone can exploit it. The issue is not listed in CISA’s KEV catalog, yet it allows attackers to bypass payment gateways entirely.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Event Monster to the latest version that removes the unauthenticated payment bypass.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the em_capture_payment AJAX endpoint, for example by adding capability checks or requiring a nonce with wp_ajax_{action}.
  • Review all existing bookings and payment records for suspicious entries and manually correct any fraudulent confirmed payments.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Title Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T23:28:27.949Z

Reserved: 2026-05-14T15:59:18.646Z

Link: CVE-2026-8608

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:41.757

Modified: 2026-06-06T00:16:41.757

Link: CVE-2026-8608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses