{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/easy-paypal-events--tickets-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41471"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","info-disclosure","cve-2026-41471","unauthenticated","enumeration"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the request to iterate through sequential WordPress post IDs.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint queries the WordPress database for order records associated with the provided post ID.\u003c/li\u003e\n\u003cli\u003eIf a valid order record is found, the server returns the information in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract customer order information.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf still using the Easy PayPal Events \u0026amp; Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview the WordPress access logs for requests originating from unusual IP addresses accessing the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:29Z","date_published":"2026-05-04T18:16:29Z","id":"/briefs/2026-05-wordpress-easy-paypal-info-disclosure/","summary":"An information disclosure vulnerability in the Easy PayPal Events \u0026 Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-easy-paypal-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32834"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","authentication bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string \u0026rsquo;test\u0026rsquo; as the hash parameter when accessing the \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using the Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ehash\u003c/code\u003e parameter set to the hardcoded value \u003ccode\u003etest\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epost_id\u003c/code\u003e parameter, either guessed or obtained through other means.\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin bypasses authentication due to the hardcoded hash.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the request and retrieves sensitive order details associated with the provided \u003ccode\u003epost_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events \u0026amp; Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Easy PayPal Events \u0026amp; Tickets Authentication Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eadd_wpeevent_button_qr\u003c/code\u003e and the \u003ccode\u003ehash\u003c/code\u003e parameter set to \u003ccode\u003etest\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.\u003c/li\u003e\n\u003cli\u003eIf the plugin is still installed, remove it immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:27Z","date_published":"2026-05-04T18:16:27Z","id":"/briefs/2026-05-wordpress-paypal-auth-bypass/","summary":"An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events \u0026 Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-paypal-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Easy PayPal Events \u0026 Tickets Plugin","version":"https://jsonfeed.org/version/1.1"}