Vulnerabilities and security researches forevent-espresso-decaf event-espresso-decaf

Jan 28, 2026

CVE, Research URL: CVE-2025-68007
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Jan 22, 2026
Research Description: Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.
Affected versions: max 5.0.37.
Status: vulnerable

Jan 03, 2025

CVE, Research URL: CVE-2024-56251
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Jan 02, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso Event Espresso 4 Decaf allows Cross Site Request Forgery.This issue affects Event Espresso 4 Decaf: from n/a through 5.0.28.decaf.
Affected versions: max 5.0.31.decaf.
Status: vulnerable

Aug 22, 2024

CVE, Research URL: CVE-2024-6883
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Aug 21, 2024
Research Description: The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings.
Affected versions: max 5.0.22.decaf.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-4404
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Jul 01, 2023
Research Description: The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.10.12.
Status: vulnerable

CVE, Research URL: 0d179fff144e451edfdd3cb96273a090f56f2585
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Aug 16, 2021
Research Description: Event Espresso – Event Registration & Ticketing Sales [event-espresso-decaf] < 4.10.14 (closed) WordPress Event Espresso 4 Decaf plugin <= 4.10.12.decaf - Cross-Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability discovered by Jerome Bruandet (NinTechNet) in WordPress Event Espresso 4 Decaf plugin (versions <= 4.10.12.decaf).
Affected versions: max 4.10.14.
Status: vulnerable

CVE, Research URL: CVE-2023-27437
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Jun 04, 2024
Research Description: Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf.
Affected versions: max 4.10.45.decaf.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for Event Espresso 4 Decaf – Event Registration Event Ticketing
Application: Event Espresso 4 Decaf – Event Registration Event Ticketing
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: max 4.10.11.
Status: vulnerable