Back to overview

CVE-2026-13039

MEDIUM
5.3
CVSS 3.1
Description
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.

Metadata

CVE ID
CVE-2026-13039
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-23 17:16 UTC
Published
2026-07-10 20:31 UTC
Last updated
2026-07-10 20:31 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
arraytics / Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
arraytics Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) 4.0.26 ≤ 4.1.15
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview