CVE-2026-9701 PUBLISHED

Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation

Assigner: Wordfence
Reserved: 27.05.2026 Published: 08.07.2026 Updated: 08.07.2026

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the eventer_verification_code user meta field when a user requests a password reset. The plaintext key stored in wp_usermeta can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor joe007
Product Eventer
Versions Default: unaffected
  • affected from 0 to 4.4.2 (incl.)

Credits

  • Rafie Muhammad finder

References

Problem Types

  • CWE-289 Authentication Bypass by Alternate Name CWE