What the vulnerability does
01Description
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.
Explanation of Vulnerability in Simple Terms
02Summary
EventPrime versions up to 4.2.7.0 expose sensitive information that an unauthenticated attacker can access over the network without user interaction. The vulnerability stems from improper access controls on data that should be restricted. Site administrators should update to a version newer than 4.2.7.0 to prevent unauthorized information disclosure.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the site without authentication.
Potential impact on your site
04Site Impact
Confidential data may be exposed to anyone on the internet, potentially including event details, booking info, or user data.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 13, 2026
CVE published
April 8, 2026
Record updated