Description
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Event Monster plugin’s AJAX handler accepts client‑supplied payment data such as transaction ID, amount and status without any server‑side verification or nonce checks, allowing an attacker to forge payment records, mark event bookings as completed and obtain valid QR code tickets and confirmation emails without paying. This flaw enables financial fraud and unauthorized event access.

Affected Systems

The vulnerability affects the Event Monster – Event Manager, Ticket Booking & Registration WordPress plugin from awordpresslife, versions up to and including 2.1.0. The plugin is widely used on WordPress sites that host events and sell tickets.

Risk and Exploitability

The CVSS score of 5.3 suggests medium severity. EPSS information is not available, so the exploitation likelihood is uncertain, but the attack vector is unauthenticated via the wp_ajax_nopriv_em_capture_payment endpoint, meaning anyone can exploit it. The issue is not listed in CISA’s KEV catalog, yet it allows attackers to bypass payment gateways entirely.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Event Monster to the latest version that removes the unauthenticated payment bypass.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the em_capture_payment AJAX endpoint, for example by adding capability checks or requiring a nonce with wp_ajax_{action}.
  • Review all existing bookings and payment records for suspicious entries and manually correct any fraudulent confirmed payments.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Awordpresslife
Awordpresslife event Monster – Event Manager, Ticket Booking & Registration
Wordpress
Wordpress wordpress
Vendors & Products Awordpresslife
Awordpresslife event Monster – Event Manager, Ticket Booking & Registration
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Title Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Awordpresslife Event Monster – Event Manager, Ticket Booking & Registration
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:45:50.031Z

Reserved: 2026-05-14T15:59:18.646Z

Link: CVE-2026-8608

cve-icon Vulnrichment

Updated: 2026-06-06T11:45:45.419Z

cve-icon NVD

Status : Deferred

Published: 2026-06-06T00:16:41.757

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-8608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:29Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity