Authorization Bypass in Event Calendar Plugin for WordPress
CVE-2026-13039

5.3MEDIUM

What is CVE-2026-13039?

The Event Calendar, Event Registration, Tickets & Booking plugin for WordPress contains a significant authorization bypass vulnerability due to insufficient user verification in its payment handling functions. Versions 4.0.26 through 4.1.15 are affected, allowing an attacker to manipulate ticket orders and gain unauthorized access to events. By crafting fake identifiers, attackers can activate unpaid ticket orders, obtain confirmation emails, and access event tickets without completing any actual payment. The security flaw arises from a regression in previous code fixes, where the wp_rest nonce needed for the vulnerable endpoint is publicly accessible, exposing users to potential exploitation.

Affected Version(s)

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) 4.0.26 <= 4.1.15

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Niv Kochan
.