What the vulnerability does
01Description
Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
Explanation of Vulnerability in Simple Terms
02Summary
The easy-paypal-events-tickets plugin contains hardcoded credentials or API keys that can be extracted from the code or configuration. An attacker with network access can use these exposed credentials to authenticate to PayPal or related services without authorization. All versions before 1.4.0 are affected. Update to version 1.4.0 or later to remediate.
What an attacker can do
03Attacker Capabilities
Use exposed credentials to authenticate to PayPal services and access payment data or perform unauthorized transactions.
Potential impact on your site
04Site Impact
Attackers can access your PayPal account, view transaction history, and potentially process unauthorized payments or refunds.
Conditions required to exploit
05Prerequisites
Network access to the site or its code repository; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 4, 2026
CVE published
May 13, 2026
Record updated