CVE-2026-4109
Received Received - Intake
Unauthorized Data Access in Eventin Plugin via Improper Capability Check

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: Wordfence

Description
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4109
EUVD
EUVD-2026-22231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eventin events_calendar to 4.1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress has a vulnerability due to an improper capability check in the get_item_permissions_check() function in all versions up to 4.1.8.

This flaw allows authenticated users with Subscriber-level access or higher to access data they should not be able to see.

Specifically, attackers can read arbitrary order data by iterating over order IDs.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of customer personally identifiable information (PII), including names, emails, and phone numbers.

An attacker with at least Subscriber-level access can exploit this to read order data that should be restricted.

Such unauthorized access can compromise customer privacy and potentially damage trust in the affected website.

Compliance Impact

This vulnerability allows authenticated attackers with Subscriber-level access and above to read arbitrary order data including customer personally identifiable information (PII) such as name, email, and phone number.

Unauthorized access to customer PII can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal data to protect user privacy and ensure data security.

Mitigation Strategies

To mitigate this vulnerability, you should update the Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress to a version later than 4.1.8 where the improper capability check issue in the get_item_permissions_check() function is fixed.

Additionally, restrict Subscriber-level access and above to trusted users only, as the vulnerability allows authenticated users with such access to read arbitrary order data including customer PII.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart