CVE-2026-13039
MEDIUMCVSS v3.1: 5.3
Source data as of:
At a glance
- Severity
- MEDIUM
- CVSS
- 5.3 v3.1 · NVD
- EPSS
- EPSS not provided by FIRST.org for this CVE
- CISA KEV
- No
- Type
- Missing Authorization · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Published
- 2026-07-10 · Modified: 2026-07-10
- References
- Jump to references (2)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.