Vulnerabilities and security researches foreasy-paypal-events-tickets easy-paypal-events-tickets

Jun 07, 2024

CVE, Research URL: cc5c994c8fa9b2416f0e97a9f763aaab5c71441e
Home page URL: Security reports for Easy PayPal Events
Application: Easy PayPal Events
Date: Oct 11, 2021
Research Description: Easy PayPal Events & Tickets [easy-paypal-events-tickets] < 1.1.2 WordPress Easy PayPal Events plugin <= 1.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress Easy PayPal Events plugin (versions <= 1.1.1).
Affected versions: max 1.1.2.
Status: vulnerable

Sep 26, 2024

CVE, Research URL: CVE-2024-8476
Home page URL: Security reports for Easy PayPal Events
Application: Easy PayPal Events
Date: Sep 25, 2024
Research Description: The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.2.2.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47519
Home page URL: Security reports for Easy PayPal Events
Application: Easy PayPal Events
Date: May 07, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Easy PayPal Events allows Cross Site Request Forgery. This issue affects Easy PayPal Events: from n/a through 1.2.2.
Affected versions: max 1.3.
Status: vulnerable

May 07, 2026

CVE, Research URL: CVE-2026-41471
Home page URL: Security reports for Easy PayPal Events
Application: Easy PayPal Events
Date: May 04, 2026
Research Description: Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.
Affected versions: max 1.3.
Status: vulnerable

CVE, Research URL: CVE-2026-32834
Home page URL: Security reports for Easy PayPal Events
Application: Easy PayPal Events
Date: May 04, 2026
Research Description: Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
Affected versions: max 1.3.
Status: vulnerable