CVE-2026-8608 MEDIUM

CVE-2026-8608: Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action

Vendor Awordpresslife
Product Event Monster – Event Manager, Ticket Booking & Registration
Weakness CWE-345
Published June 5, 2026
Last update June 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.

Explanation of Vulnerability in Simple Terms

02Summary

Event Monster versions up to 2.1.0 contain an integrity vulnerability allowing network-based modification of data without authentication. The plugin fails to properly validate or protect against unauthorized changes to event or booking information. Site administrators should update immediately to a version newer than 2.1.0.

What an attacker can do

03Attacker Capabilities

Modify event data, ticket information, or booking records without logging in.

Potential impact on your site

04Site Impact

Event details, pricing, or attendee records could be altered by unauthorized parties.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 5, 2026 CVE published
June 6, 2026 Record updated