CVE-2026-4109
Unauthorized Data Access in Eventin Plugin via Improper Capability Check
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eventin | events_calendar | to 4.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with Subscriber-level access and above to read arbitrary order data including customer personally identifiable information (PII) such as name, email, and phone number.
Unauthorized access to customer PII can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal data to protect user privacy and ensure data security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Eventin β Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress to a version later than 4.1.8 where the improper capability check issue in the get_item_permissions_check() function is fixed.
Additionally, restrict Subscriber-level access and above to trusted users only, as the vulnerability allows authenticated users with such access to read arbitrary order data including customer PII.
Can you explain this vulnerability to me?
The Eventin β Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress has a vulnerability due to an improper capability check in the get_item_permissions_check() function in all versions up to 4.1.8.
This flaw allows authenticated users with Subscriber-level access or higher to access data they should not be able to see.
Specifically, attackers can read arbitrary order data by iterating over order IDs.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of customer personally identifiable information (PII), including names, emails, and phone numbers.
An attacker with at least Subscriber-level access can exploit this to read order data that should be restricted.
Such unauthorized access can compromise customer privacy and potentially damage trust in the affected website.