Unauthenticated PII disclosure and order forgery in the Eventin WordPress plugin (10,000+ active installs). A public REST endpoint hands out a wp_rest nonce to any visitor, and three downstream permission callbacks accept that nonce as a substitute for authentication — collapsing authorization on every customer order endpoint.
Full technical writeup: https://lorenzofradeani.com/en/blog/cve-2026-40776 Patchstack advisory: https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability
| Field | Value |
|---|---|
| CVE | CVE-2026-40776 |
| Patchstack PSID | 85de025d71e7 |
| CWE | CWE-862 — Missing Authorization |
| CVSS v3.1 | 7.5 (HIGH) |
| Plugin | Eventin — Events Calendar, Event Booking, Ticket & Registration (wp-event-solution) |
| Affected versions | <= 4.1.8 |
| Patched in | 4.1.9 |
| Active installs | 10,000+ |
| Authentication required | None (unauthenticated) |
| User interaction | None |
| Reported by | Lorenzo Fradeani — independent security research |
| Coordinated by | Patchstack |
| Public disclosure | 2026-04-29 |
Three issues compose into a complete authorization bypass:
- Public nonce dispenser.
core/Admin/hooks.php(lines 68–77) registers/wp-json/eventin/v1/noncewithpermission_callback => '__return_true'and returns a freshly mintedwp_restnonce to any unauthenticated caller. - Nonce-as-auth permission callbacks. Three controllers in
core/Order/accept that nonce as the only authorization check:OrderController::get_item_permissions_check(lines 146–148) —current_user_can(...) || wp_verify_nonce(...); the||makes the nonce alone sufficient.OrderController::create_item_permissions_check(lines 476–478) —wp_verify_nonce(...)only.PaymentController::create_payment_permission_check(lines 66–70) —wp_verify_nonce(...)only.
- IDOR + fully open seat-booking endpoint.
OrderController::get_item(lines 310–317) loads any order by sequential WordPress post ID without ownership verification, and/book-seats(lines 129–137) usespermission_callback => function() { return true; }(no auth at all).
End-to-end, four unauthenticated requests are enough to dump every customer order (full names, emails, phone numbers, payment methods, attendees roster) and to forge new orders. See ADVISORY.md for the full technical breakdown and poc/poc-eventin.sh for a reproducible PoC.
Update wp-event-solution to 4.1.9 or later. There is no in-version workaround for older releases short of disabling the plugin or blocking the affected REST routes (/wp-json/eventin/v1/nonce, /wp-json/eventin/v2/orders*, /wp-json/eventin/v2/payments, /wp-json/eventin/v2/orders/book-seats) at the web-server / WAF layer.
.
├── README.md this file
├── ADVISORY.md full technical advisory + code review
├── LICENSE MIT
├── poc/
│ └── poc-eventin.sh 4-step bash PoC against a local lab
└── screenshots/
├── poc1-idor-pii-leak.png IDOR read of order #21 with full PII
├── poc2-no-nonce-blocked.png same request without nonce → 401
└── poc3-fake-order-created.png unauthenticated POST creating a fake order
| Date | Event |
|---|---|
| 2026-03-10 | Reported to Patchstack |
| 2026-04-07 | Vendor releases Eventin 4.1.9 (fix) |
| 2026-04-13 | Coordination milestone (Patchstack) |
| 2026-04-29 | Public disclosure (Patchstack advisory) |
| 2026-05-01 | Third-party trackers pick it up (WP-Firewall, Managed-WP, SolidWP) |
| 2026-05-04 | This repository published |
- Full writeup (canonical): https://lorenzofradeani.com/en/blog/cve-2026-40776
- Patchstack advisory: https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability
- Plugin on wordpress.org: https://wordpress.org/plugins/wp-event-solution/
- CWE-862 — Missing Authorization: https://cwe.mitre.org/data/definitions/862.html
This material is published for defensive and educational purposes — to help WordPress site operators identify exposure, to help plugin authors avoid the same mistake (treating a CSRF nonce as authentication), and to document a real-world example of how the || short-circuit in a permission callback collapses authorization. Do not run the PoC against systems you do not own or do not have explicit written authorization to test.