## https://sploitus.com/exploit?id=445C517A-FBD0-5894-80F1-5C6758783847
# CVE-2026-40776 โ Eventin (wp-event-solution) Broken Access Control
[](https://vulners.com/cve/CVE-2026-40776)
[](https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-1-8-broken-access-control-vulnerability)
[](https://cwe.mitre.org/data/definitions/862.html)
[](https://wordpress.org/plugins/wp-event-solution/)
[](LICENSE)
Unauthenticated **PII disclosure** and **order forgery** in the [Eventin](https://wordpress.org/plugins/wp-event-solution/) WordPress plugin (10,000+ active installs). A public REST endpoint hands out a `wp_rest` nonce to any visitor, and three downstream permission callbacks accept that nonce as a substitute for authentication โ collapsing authorization on every customer order endpoint.
> **Full technical writeup:**
> **Patchstack advisory:**
## At a glance
| Field | Value |
|---|---|
| **CVE** | CVE-2026-40776 |
| **Patchstack PSID** | `85de025d71e7` |
| **CWE** | [CWE-862 โ Missing Authorization](https://cwe.mitre.org/data/definitions/862.html) |
| **CVSS v3.1** | **7.5 (HIGH)** |
| **Plugin** | Eventin โ Events Calendar, Event Booking, Ticket & Registration (`wp-event-solution`) |
| **Affected versions** | ` '__return_true'` and returns a freshly minted `wp_rest` nonce to any unauthenticated caller.
2. **Nonce-as-auth permission callbacks.** Three controllers in `core/Order/` accept that nonce as the only authorization check:
- `OrderController::get_item_permissions_check` (lines 146โ148) โ `current_user_can(...) || wp_verify_nonce(...)` ; the `||` makes the nonce alone sufficient.
- `OrderController::create_item_permissions_check` (lines 476โ478) โ `wp_verify_nonce(...)` only.
- `PaymentController::create_payment_permission_check` (lines 66โ70) โ `wp_verify_nonce(...)` only.
3. **IDOR + fully open seat-booking endpoint.** `OrderController::get_item` (lines 310โ317) loads any order by sequential WordPress post ID without ownership verification, and `/book-seats` (lines 129โ137) uses `permission_callback => function() { return true; }` (no auth at all).
End-to-end, four unauthenticated requests are enough to dump every customer order (full names, emails, phone numbers, payment methods, attendees roster) and to forge new orders. See [`ADVISORY.md`](ADVISORY.md) for the full technical breakdown and [`poc/poc-eventin.sh`](poc/poc-eventin.sh) for a reproducible PoC.
## Mitigation
Update `wp-event-solution` to **4.1.9** or later. There is no in-version workaround for older releases short of disabling the plugin or blocking the affected REST routes (`/wp-json/eventin/v1/nonce`, `/wp-json/eventin/v2/orders*`, `/wp-json/eventin/v2/payments`, `/wp-json/eventin/v2/orders/book-seats`) at the web-server / WAF layer.
## Repository contents
```
.
โโโ README.md this file
โโโ ADVISORY.md full technical advisory + code review
โโโ LICENSE MIT
โโโ poc/
โ โโโ poc-eventin.sh 4-step bash PoC against a local lab
โโโ screenshots/
โโโ poc1-idor-pii-leak.png IDOR read of order #21 with full PII
โโโ poc2-no-nonce-blocked.png same request without nonce โ 401
โโโ poc3-fake-order-created.png unauthenticated POST creating a fake order
```
## Disclosure timeline
| Date | Event |
|---|---|
| 2026-03-10 | Reported to Patchstack |
| 2026-04-07 | Vendor releases Eventin 4.1.9 (fix) |
| 2026-04-13 | Coordination milestone (Patchstack) |
| 2026-04-29 | Public disclosure (Patchstack advisory) |
| 2026-05-01 | Third-party trackers pick it up (WP-Firewall, Managed-WP, SolidWP) |
| 2026-05-04 | This repository published |
## References
- Full writeup (canonical):
- Patchstack advisory:
- Plugin on wordpress.org:
- CWE-862 โ Missing Authorization:
## Responsible use
This material is published for defensive and educational purposes โ to help WordPress site operators identify exposure, to help plugin authors avoid the same mistake (treating a CSRF nonce as authentication), and to document a real-world example of how the `||` short-circuit in a permission callback collapses authorization. **Do not run the PoC against systems you do not own or do not have explicit written authorization to test.**
## License
[MIT](LICENSE)