CVE-2026-13039 PUBLISHED

Eventin 4.0.26 - 4.1.15 - Missing Authorization to Unauthenticated Payment Bypass via REST API

Assigner: Wordfence
Reserved: 23.06.2026 Published: 10.07.2026 Updated: 10.07.2026

The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Product Status

Vendor arraytics
Product Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
Versions Default: unaffected
  • affected from 4.0.26 to 4.1.15 (incl.)

Credits

  • Niv Kochan finder

References

Problem Types

  • CWE-862 Missing Authorization CWE