CVE-2026-4109 · The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access o

01 · The Real Story

This is a hotel clerk handing out guest cards to anyone who can prove they have a room key

CVE-2026-4109 is a broken access control flaw in the WordPress plugin wp-event-solution (*Eventin – Events Calendar, Event Booking, Ticket & Registration*). In versions up to and including 4.1.8, the plugin's REST path uses an improper capability check in get_item_permissions_check(), so an authenticated user as weak as Subscriber can iterate order IDs and read order records containing customer PII such as names, email addresses, and phone numbers. The fix landed in 4.1.9 and the plugin changelog for April 7, 2026 explicitly notes a security fix.

The vendor's MEDIUM 4.3 baseline is a little generous for fleet prioritization and too optimistic for privacy impact. In real enterprise conditions this is usually post-registration or post-compromise abuse on a plugin with about 10,000+ active installs, not internet-wide unauthenticated compromise. But if a site allows self-registration or creates customer accounts as part of ticketing, the friction drops fast and this becomes a practical bulk-PII scrape. Net: downgrade one bucket to LOW, but keep it out of the ignore pile.

"Low-privilege data leak, not a takeover bug: patch it, but don't drop everything."

02 · The Attack Path

3 steps from start to impact.

STEP 01

Get a low-privilege WordPress account

The attacker needs any authenticated account that maps to at least the WordPress Subscriber role. In practice that usually means self-registration is enabled, a customer/attendee account was created during ticket purchase, credentials were reused, or the actor already has a foothold. Tooling is trivial: a browser, curl, or python-requests is enough; there is no exploit kit magic here.

Conditions required:

Target runs Eventin plugin wp-event-solution version <= 4.1.8
Attacker can authenticate as any WordPress user with Subscriber-level access or higher
The vulnerable REST route is reachable from the attacker

Where this breaks in practice:

Many WordPress sites disable public registration entirely
Some ticketing deployments use guest checkout and never create reusable subscriber accounts
Credential theft or registration abuse is a separate prerequisite that narrows the exposed population

Detection/coverage: Most external scanners can fingerprint the plugin version, but proving exploitability usually requires authenticated testing. WPScan and Wordfence can identify affected versions; standard unauthenticated perimeter scanning often cannot validate the access-control failure.

STEP 02

Call the REST endpoint with a guessed order ID

Once logged in, the attacker sends authenticated requests to the Eventin REST endpoint that relies on the flawed get_item_permissions_check() logic. A manual tester would use Burp Suite Repeater or curl; a script can iterate numeric IDs in seconds. The bug is classic IDOR-style behavior behind login rather than a memory corruption or parser flaw.

Conditions required:

Authenticated session cookie or application password/token is valid
Order IDs are enumerable or guessable
No upstream control blocks access to the Eventin namespace

Where this breaks in practice:

Reverse proxies or WAF rules that restrict /wp-json/ or plugin-specific routes can break the path
Custom hardening may require stronger capabilities than the vulnerable default
Sparse order volumes reduce harvest value

Detection/coverage: Look for authenticated requests to Eventin REST routes with sequential ID access patterns. Web logs and WAF telemetry are better than endpoint controls here; EDR on the server will usually see nothing interesting because the requests are application-legitimate.

STEP 03

Enumerate orders and harvest customer PII

The attacker loops through IDs and collects order responses containing names, email addresses, and phone numbers. This is bulk disclosure, not code execution, so the operational goal is usually privacy theft, phishing preparation, or customer intelligence. A few lines of Python can turn this into a full dump if the site has enough orders.

Conditions required:

The endpoint returns records for IDs outside the attacker's own scope
Orders exist in meaningful volume
Response data includes customer fields

Where this breaks in practice:

Rate limits, bot controls, or anomaly detection can slow mass enumeration
Smaller event sites may only expose dozens of records, limiting payoff
Some environments sanitize or minimize returned fields

Detection/coverage: Application logs can show repeated 200 responses over ascending IDs from low-privilege users. DAST tools may flag broken object-level authorization, but many vuln scanners miss it without authenticated workflows.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found during this review. Not listed in CISA KEV, and the NVD entry is deferred rather than enriched.
Proof-of-concept availability	No public GitHub PoC surfaced in review. Practical exploit development is still trivial because this is an authenticated REST authorization flaw, so Burp or `curl` is enough once you know the route.
EPSS	0.00032 from your intel block, which aligns with public third-party mirrors showing roughly 0.02%–0.03% probability territory; that is very low and consistent with niche, authenticated abuse.
KEV status	Not KEV-listed as of the CISA catalog checked in this review; there is no CISA due date because it has not been added.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` means remote and easy once logged in, but requires credentials and only impacts confidentiality.
Affected versions	All versions through 4.1.8 of Eventin / `wp-event-solution` are affected according to NVD, Wordfence, and WPScan.
Fixed version	4.1.9 is the first patched release. The plugin changelog dated April 7, 2026 includes `Fix : Security – Patched reported vulnerability (Patchstack)`.
Exposure population	WordPress.org shows about 10,000+ active installations. That is meaningful but not mass-enterprise ubiquity, and the reachable subset is smaller because exploitation also needs authenticated access.
Scanning / telemetry	No reliable internet-wide telemetry surfaced for this specific CVE or plugin route in public review. This is normal for authenticated WordPress plugin flaws: Shodan/Censys can find WordPress sites, but not prove the vulnerable authorization path without login.
Disclosure / researcher	Publicly disclosed on 2026-04-14 via NVD, with Wordfence listing researcher Supakiad S. (m3ez) - E-CQURITY (Thailand) and public publication on 2026-04-13.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.2/10)

The single biggest downward pressure is the authenticated Subscriber prerequisite: this is not an internet-scale pre-auth compromise, it is a post-registration or post-compromise data exposure on a niche plugin population. Impact matters because it can leak customer PII in bulk, but the blast radius and attacker reach are far narrower than the raw 'network exploitable' label implies.

HIGH Affected version range and fixed version

HIGH Exploit preconditions: authenticated Subscriber+ access

MEDIUM Real-world exposure fraction across Eventin deployments

MEDIUM Absence of public exploitation evidence at review time

Why this verdict

Requires authenticated access: the attacker must already have a WordPress account at Subscriber level or higher, which implies either public registration, customer-account creation, credential theft, or prior foothold.
Narrow exposed population: WordPress.org shows about 10,000+ active installs, and only the subset running <= 4.1.8 with reachable login and the vulnerable REST path is actually exposed.
Confidentiality-only outcome: this leaks order/customer PII but does not directly provide code execution, admin creation, integrity loss, or service disruption.
Low exploitation pressure: your EPSS is 0.00032, it is not KEV-listed, and no credible public campaign or PoC ecosystem surfaced during review.
But not IGNORE: if an Eventin site allows self-registration or routinely creates attendee accounts, the credential hurdle collapses and the bug becomes a very practical scraping issue.

Why not higher?

This is not a pre-auth edge bug, not a privilege-escalation-to-admin bug, and not an RCE. The attacker needs a valid low-privilege account and the impact stays inside order-data disclosure, so there is too much real-world friction to justify MEDIUM-to-HIGH patch panic for a 10,000-host enterprise fleet.

Why not lower?

Calling it IGNORE would miss the privacy angle. On event sites where users can sign up or where ticket purchases create accounts, a random internet user may be able to become the required Subscriber and enumerate customer PII at scale with almost no technical sophistication.

05 · Compensating Control

What to do — in priority order.

Disable self-registration where unnecessary — If the site does not need open account creation, turn it off and remove the easiest path to satisfying the PR:L prerequisite. For a LOW verdict there is no SLA (treat as backlog hygiene), but this is the cleanest immediate risk reducer because it removes anonymous-to-subscriber conversion.
Restrict Eventin REST routes upstream — Block or tightly allowlist the Eventin plugin namespace at the reverse proxy or WAF if business workflows do not require internet exposure to those routes. For LOW, there is no SLA (treat as backlog hygiene), but this is useful when patch lead time is longer than you'd like.
Audit low-privilege account creation — Review who can become Subscriber, how customer accounts are provisioned, and whether stale attendee/customer accounts persist indefinitely. For LOW, there is no SLA (treat as backlog hygiene), but reducing unnecessary low-privilege accounts directly cuts exploitability.
Watch for sequential order access — Alert on authenticated users making repeated reads across ascending or wide-ranging order IDs through /wp-json/ paths. For LOW, there is no SLA (treat as backlog hygiene), but this is one of the few signals that can catch active abuse before exfiltration is complete.

What doesn't work

EDR on the WordPress host usually doesn't help much because the exploit is normal-looking authenticated HTTP traffic, not malware execution.
MFA on admin accounts doesn't solve the core issue if the site still lets strangers create Subscriber/customer accounts directly.
Network segmentation is mostly irrelevant when the vulnerable surface is the public web application itself.

06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or from an admin shell in the container/VM that holds the site files. Invoke it as bash check-eventin-cve-2026-4109.sh /var/www/html and give it read access to the WordPress plugin directory; root is not required unless file permissions are locked down.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-eventin-cve-2026-4109.sh
# Detects whether the Eventin WordPress plugin (wp-event-solution) is vulnerable to CVE-2026-4109.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

WP_ROOT="${1:-}"
PLUGIN_DIR=""
VERSION=""

if [[ -z "$WP_ROOT" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wordpress"
  exit 2
fi

PLUGIN_DIR="$WP_ROOT/wp-content/plugins/wp-event-solution"

if [[ ! -d "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - plugin directory not found: $PLUGIN_DIR"
  exit 2
fi

# Try the main plugin file first.
for f in \
  "$PLUGIN_DIR/wp-event-solution.php" \
  "$PLUGIN_DIR/eventin.php" \
  "$PLUGIN_DIR/eventin/eventin.php"; do
  if [[ -f "$f" ]]; then
    VERSION=$(grep -iE '^\s*Version:\s*' "$f" 2>/dev/null | head -n1 | sed -E 's/^\s*Version:\s*//I' | tr -d '\r')
    if [[ -n "$VERSION" ]]; then
      break
    fi
  fi
done

# Fall back to readme stable tag.
if [[ -z "$VERSION" && -f "$PLUGIN_DIR/readme.txt" ]]; then
  VERSION=$(grep -iE '^\s*Stable tag:\s*' "$PLUGIN_DIR/readme.txt" 2>/dev/null | head -n1 | sed -E 's/^\s*Stable tag:\s*//I' | tr -d '\r')
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - could not determine installed Eventin version"
  exit 2
fi

verlte() {
  # returns success if $1 <= $2 using version sort
  [[ "$1" == "$2" ]] && return 0
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [[ "$first" == "$1" ]]
}

if verlte "$VERSION" "4.1.8"; then
  echo "VULNERABLE - Eventin version $VERSION is <= 4.1.8"
  exit 1
fi

echo "PATCHED - Eventin version $VERSION is >= 4.1.9"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: find every WordPress host running wp-event-solution, confirm whether public registration or customer-account creation makes the Subscriber prerequisite easy, and upgrade any instance on 4.1.8 or older to 4.1.9+. Because this is a LOW reassessment, there is no noisgate mitigation SLA — treat as backlog hygiene unless you know self-registration is open and customer PII is present; then temporarily restrict the Eventin REST route or registration path while you patch. For the actual fix, use the noisgate remediation SLA for LOW: patch as part of normal maintenance backlog rather than an emergency campaign, but do not let it drift indefinitely if the site handles attendee/customer data.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.