WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:29 +0000

The Easy PayPal Events & Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the scan_qr.php endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
The attacker crafts a malicious HTTP request targeting the scan_qr.php endpoint.
The attacker modifies the request to iterate through sequential WordPress post IDs.
The server processes the request without proper authentication or authorization checks.
The scan_qr.php endpoint queries the WordPress database for order records associated with the provided post ID.
If a valid order record is found, the server returns the information in the HTTP response.
The attacker parses the HTTP response to extract customer order information.
The attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.

Recommendation

Deploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.
If still using the Easy PayPal Events & Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.
Monitor web server logs for suspicious activity targeting the scan_qr.php endpoint.
Review the WordPress access logs for requests originating from unusual IP addresses accessing the scan_qr.php endpoint.

WordPress Easy PayPal Events & Tickets Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:27 +0000

The Easy PayPal Events & Tickets plugin for WordPress, version 1.3 and earlier, contains a critical hardcoded authentication bypass vulnerability (CVE-2026-32834) within its QR code scanning functionality. This flaw allows unauthenticated remote attackers to bypass hash verification by supplying the string ’test’ as the hash parameter when accessing the add_wpeevent_button_qr action. This bypass enables attackers to retrieve sensitive order details associated with any post ID, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The vulnerable plugin was officially closed on March 18, 2026, making it imperative to identify and mitigate any remaining installations to prevent potential data breaches.

Attack Chain

Attacker identifies a WordPress site using the Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
Attacker crafts a malicious HTTP GET request targeting the /wp-admin/admin-ajax.php endpoint.
The request includes the action parameter set to add_wpeevent_button_qr.
The request includes a hash parameter set to the hardcoded value test.
The request includes a post_id parameter, either guessed or obtained through other means.
The vulnerable plugin bypasses authentication due to the hardcoded hash.
The plugin processes the request and retrieves sensitive order details associated with the provided post_id.
The attacker receives the sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers access to sensitive customer and transaction data associated with events and tickets managed through the Easy PayPal Events & Tickets plugin. The leaked information, including customer email addresses and PayPal transaction IDs, can be used for further malicious activities such as phishing campaigns, identity theft, and financial fraud. The number of affected WordPress sites is unknown, but any site using a vulnerable version of the plugin is at risk.

Recommendation

Deploy the Sigma rule Detect WordPress Easy PayPal Events & Tickets Authentication Bypass Attempt to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Inspect web server logs for requests to /wp-admin/admin-ajax.php with the action parameter set to add_wpeevent_button_qr and the hash parameter set to test to identify potential exploitation attempts.
Monitor network traffic for suspicious data exfiltration following the identified exploitation attempts to mitigate potential damage.
If the plugin is still installed, remove it immediately.

Easy PayPal Events & Tickets Plugin — CraftedSignal Threat Feed

WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

Attack Chain

Impact

Recommendation

WordPress Easy PayPal Events & Tickets Plugin Authentication Bypass Vulnerability

Attack Chain

Impact

Recommendation