CVE-2026-32834 HIGH

CVE-2026-32834: Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Vendor Scott Paterson
Product easy-paypal-events-tickets
Weakness CWE-798 · Hardcoded credentials
Published May 4, 2026
Last update May 13, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.

Explanation of Vulnerability in Simple Terms

02Summary

The easy-paypal-events-tickets plugin contains hardcoded credentials or API keys that can be extracted from the code or configuration. An attacker with network access can use these exposed credentials to authenticate to PayPal or related services without authorization. All versions before 1.4.0 are affected. Update to version 1.4.0 or later to remediate.

What an attacker can do

03Attacker Capabilities

Use exposed credentials to authenticate to PayPal services and access payment data or perform unauthorized transactions.

Potential impact on your site

04Site Impact

Attackers can access your PayPal account, view transaction history, and potentially process unauthorized payments or refunds.

Conditions required to exploit

05Prerequisites

Network access to the site or its code repository; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 4, 2026 CVE published
May 13, 2026 Record updated