What the vulnerability does
01Description
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Explanation of Vulnerability in Simple Terms
02Summary
Event Monster versions up to 2.1.0 contain an integrity vulnerability allowing network-based modification of data without authentication. The plugin fails to properly validate or protect against unauthorized changes to event or booking information. Site administrators should update immediately to a version newer than 2.1.0.
What an attacker can do
03Attacker Capabilities
Modify event data, ticket information, or booking records without logging in.
Potential impact on your site
04Site Impact
Event details, pricing, or attendee records could be altered by unauthorized parties.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 5, 2026
CVE published
June 6, 2026
Record updated