Authorization Bypass in Event Calendar Plugin for WordPress
CVE-2026-13039
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-13039?
The Event Calendar, Event Registration, Tickets & Booking plugin for WordPress contains a significant authorization bypass vulnerability due to insufficient user verification in its payment handling functions. Versions 4.0.26 through 4.1.15 are affected, allowing an attacker to manipulate ticket orders and gain unauthorized access to events. By crafting fake identifiers, attackers can activate unpaid ticket orders, obtain confirmation emails, and access event tickets without completing any actual payment. The security flaw arises from a regression in previous code fixes, where the wp_rest nonce needed for the vulnerable endpoint is publicly accessible, exposing users to potential exploitation.
Affected Version(s)
Eventin β Event Calendar, Event Registration, Tickets & Booking (AI Powered) 4.0.26 <= 4.1.15