CyberRota
← Ana sayfaya dön

CVE-2026-13039

MEDIUM · CVSS 5.3

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-10T21:16:53.283 · Çekilme zamanı: 2026-07-11T00:07:00.165429+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-13039
Severity
MEDIUM
CVSS
5.3
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.