What the vulnerability does
01Description
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Explanation of Vulnerability in Simple Terms
02Summary
Eventin versions up to 4.0.51 lack proper authorization checks, allowing unauthenticated attackers to read and modify sensitive data across the site. The vulnerability affects event information, registrations, and booking details. No user interaction is required. Update to a version newer than 4.0.51.
What an attacker can do
03Attacker Capabilities
Read and modify event data, registrations, and booking information without authentication.
Potential impact on your site
04Site Impact
Attackers can view and alter event details, registrations, and tickets without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 9, 2026
CVE published
April 8, 2026
Record updated