Share
## https://sploitus.com/exploit?id=445C517A-FBD0-5894-80F1-5C6758783847
# CVE-2026-40776 โ€” Eventin (wp-event-solution) Broken Access Control

[![CVE](https://img.shields.io/badge/CVE-2026--40776-blue)](https://vulners.com/cve/CVE-2026-40776)
[![CVSS](https://img.shields.io/badge/CVSS-7.5%20HIGH-orange)](https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability)
[![CWE](https://img.shields.io/badge/CWE-862-lightgrey)](https://cwe.mitre.org/data/definitions/862.html)
[![Patched](https://img.shields.io/badge/Patched-4.1.9-brightgreen)](https://wordpress.org/plugins/wp-event-solution/)
[![License](https://img.shields.io/badge/License-MIT-yellow)](LICENSE)

Unauthenticated **PII disclosure** and **order forgery** in the [Eventin](https://wordpress.org/plugins/wp-event-solution/) WordPress plugin (10,000+ active installs). A public REST endpoint hands out a `wp_rest` nonce to any visitor, and three downstream permission callbacks accept that nonce as a substitute for authentication โ€” collapsing authorization on every customer order endpoint.

> **Full technical writeup:** 
> **Patchstack advisory:** 

## At a glance

| Field | Value |
|---|---|
| **CVE** | CVE-2026-40776 |
| **Patchstack PSID** | `85de025d71e7` |
| **CWE** | [CWE-862 โ€” Missing Authorization](https://cwe.mitre.org/data/definitions/862.html) |
| **CVSS v3.1** | **7.5 (HIGH)** |
| **Plugin** | Eventin โ€” Events Calendar, Event Booking, Ticket & Registration (`wp-event-solution`) |
| **Affected versions** | ` '__return_true'` and returns a freshly minted `wp_rest` nonce to any unauthenticated caller.
2. **Nonce-as-auth permission callbacks.** Three controllers in `core/Order/` accept that nonce as the only authorization check:
   - `OrderController::get_item_permissions_check` (lines 146โ€“148) โ€” `current_user_can(...) || wp_verify_nonce(...)` ; the `||` makes the nonce alone sufficient.
   - `OrderController::create_item_permissions_check` (lines 476โ€“478) โ€” `wp_verify_nonce(...)` only.
   - `PaymentController::create_payment_permission_check` (lines 66โ€“70) โ€” `wp_verify_nonce(...)` only.
3. **IDOR + fully open seat-booking endpoint.** `OrderController::get_item` (lines 310โ€“317) loads any order by sequential WordPress post ID without ownership verification, and `/book-seats` (lines 129โ€“137) uses `permission_callback => function() { return true; }` (no auth at all).

End-to-end, four unauthenticated requests are enough to dump every customer order (full names, emails, phone numbers, payment methods, attendees roster) and to forge new orders. See [`ADVISORY.md`](ADVISORY.md) for the full technical breakdown and [`poc/poc-eventin.sh`](poc/poc-eventin.sh) for a reproducible PoC.

## Mitigation

Update `wp-event-solution` to **4.1.9** or later. There is no in-version workaround for older releases short of disabling the plugin or blocking the affected REST routes (`/wp-json/eventin/v1/nonce`, `/wp-json/eventin/v2/orders*`, `/wp-json/eventin/v2/payments`, `/wp-json/eventin/v2/orders/book-seats`) at the web-server / WAF layer.

## Repository contents

```
.
โ”œโ”€โ”€ README.md                       this file
โ”œโ”€โ”€ ADVISORY.md                     full technical advisory + code review
โ”œโ”€โ”€ LICENSE                         MIT
โ”œโ”€โ”€ poc/
โ”‚   โ””โ”€โ”€ poc-eventin.sh              4-step bash PoC against a local lab
โ””โ”€โ”€ screenshots/
    โ”œโ”€โ”€ poc1-idor-pii-leak.png      IDOR read of order #21 with full PII
    โ”œโ”€โ”€ poc2-no-nonce-blocked.png   same request without nonce โ†’ 401
    โ””โ”€โ”€ poc3-fake-order-created.png unauthenticated POST creating a fake order
```

## Disclosure timeline

| Date | Event |
|---|---|
| 2026-03-10 | Reported to Patchstack |
| 2026-04-07 | Vendor releases Eventin 4.1.9 (fix) |
| 2026-04-13 | Coordination milestone (Patchstack) |
| 2026-04-29 | Public disclosure (Patchstack advisory) |
| 2026-05-01 | Third-party trackers pick it up (WP-Firewall, Managed-WP, SolidWP) |
| 2026-05-04 | This repository published |

## References

- Full writeup (canonical): 
- Patchstack advisory: 
- Plugin on wordpress.org: 
- CWE-862 โ€” Missing Authorization: 

## Responsible use

This material is published for defensive and educational purposes โ€” to help WordPress site operators identify exposure, to help plugin authors avoid the same mistake (treating a CSRF nonce as authentication), and to document a real-world example of how the `||` short-circuit in a permission callback collapses authorization. **Do not run the PoC against systems you do not own or do not have explicit written authorization to test.**

## License

[MIT](LICENSE)