cleantalk
Vulnerabilities and Security Researches

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin, CVE-2026-4109

CVE, Research URL

CVE-2026-4109

Home page URL

Security reports for Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin

Application

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin

Published on
Apr 14, 2026
Research Description
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Affected versions
max 4.1.9.
Status
vulnerable
Previous vulnerability researches
Import and export users and customers (CVE-2024-22151) , Jun 10, 2024
Import and export users and customers (CVE-2019-15327) , Jun 07, 2024
Import and export users and customers (CVE-2022-1255) , Jun 07, 2024
Import and export users and customers (CVE-2020-22277) , Jun 07, 2024
Import and export users and customers (CVE-2019-14683) , Jun 07, 2024
New vulnerability
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2026-1651) , Apr 15, 2026
Contact Form builder with drag & drop for WordPress – Kali Forms (CVE-2026-1860) , Apr 15, 2026
Related Posts by Taxonomy (CVE-2026-0916) , Apr 15, 2026
Ivory Search – WordPress Search Plugin (CVE-2026-1053) , Apr 15, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-1236) , Apr 15, 2026