Data Exposure in Eventin Plugin for WordPress by Unauthorized Access
CVE-2026-4109

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered)
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-4109?

The Eventin plugin for WordPress has a security flaw that allows authenticated users with Subscriber-level access and higher to bypass data protection measures. Due to an improper capability check in the get_item_permissions_check() function, attackers can exploit this vulnerability to gain unauthorized access to confidential order details, including personally identifiable information (PII) such as customer names, emails, and phone numbers. This poses a significant risk to user privacy and data security, making it crucial for users to update to the latest version or apply necessary security measures.

Affected Version(s)

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) 0 <= 4.1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3501510/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Supakiad S.

CVE-2026-4109 Data

JSON