Easy PayPal Events & Tickets 1.3 Information Disclosure via QR...

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.

Basic Information

ID CVE-2026-41471

Source VulnCheck

Published May 4, 2026 at 17:40

Affected Product

Vendor Scott Paterson

Product easy-paypal-events-tickets

Affected Versions Scott Paterson easy-paypal-events-tickets 0

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.",
    "published": "2026-05-04T17:40:31.322Z",
    "modified": "2026-05-04T17:40:31.322Z",
    "type": "cve",
    "title": "Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint",
    "source": "VulnCheck",
    "references": "https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564\nhttps://wordpress.org/plugins/easy-paypal-events-tickets\nhttps://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint",
    "id": "CVE-2026-41471",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "Scott Paterson easy-paypal-events-tickets 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "easy-paypal-events-tickets",
    "version": "0",
    "vendor": "Scott Paterson",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint_CVE-2026-41471