Primary

Context

Eventin WordPress Plugin Missing Authorization Vulnerability Allows Data Exposure

Vulnerability

A vulnerability exists in the Eventin WordPress plugin, specifically in the Events Calendar, Event Booking, Ticket & Registration (AI Powered) version 4.1.8 and prior. The issue stems from an improper capability check in the 'get_item_permissions_check()' function, which fails to adequately restrict access to order data. This flaw enables authenticated attackers with Subscriber-level access or higher to read sensitive order information, including personal identifiable information (PII) such as names, email addresses, and phone numbers, by systematically iterating through order IDs.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exposure of sensitive customer order information, including personal identifiable information (PII) such as names, email addresses, and phone numbers.

Remediation

Users are advised to update the Eventin WordPress plugin to version 4.1.9 or a newer patched version.

Added: Apr 14, 2026, 9:40 AM

Updated: Apr 14, 2026, 9:40 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eventin WordPress Plugin Missing Authorization Vulnerability Allows Data Exposure

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating