CVE-2026-32834
Deferred Deferred - Pending Action
Hardcoded Authentication Bypass in Easy PayPal Events & Tickets

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: VulnCheck

Description
Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32834
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
easy_paypal_events_and_tickets plugin to 1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated remote attackers to access sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. Exposure of such personal and financial data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the unauthorized disclosure of customer email addresses and transaction details may violate GDPR's requirements for protecting personal data and ensuring data confidentiality. Similarly, if any health-related information were involved, HIPAA compliance could be impacted due to unauthorized access to protected information.


Can you explain this vulnerability to me?

The Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contains a hardcoded authentication bypass vulnerability in its QR code scanning functionality.

This vulnerability allows unauthenticated remote attackers to bypass hash verification by supplying the string 'test' as the hash parameter.

Attackers can access a vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details.

  • Sensitive details exposed include PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.

The plugin was officially closed as of March 18, 2026.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive customer and transaction information.

  • Attackers can obtain PayPal transaction IDs, which could be used for fraudulent activities or financial exploitation.
  • Customer email addresses can be exposed, increasing the risk of phishing or spam attacks.
  • Purchase amounts and ticket information can be accessed, potentially compromising customer privacy and business data.

Overall, this vulnerability can lead to privacy breaches and financial risks for both customers and the business.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart