CVE-2026-8608
Insufficient Payment Verification in Event Monster WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| event_monster | event_management_events_calendar_tickets | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Event Monster plugin for WordPress, up to version 2.1.0, has a vulnerability where its capture_payment() AJAX handler trusts payment data sent by clients without verifying it on the server side.
This means that attackers can send forged payment information such as transaction ID, amount, and payment status without any checks against PayPal or other payment gateways, and without nonce or capability verification.
As a result, unauthenticated attackers can mark bookings as completed and receive confirmation emails with valid QR code tickets without actually making any payment.
How can this vulnerability impact me? :
This vulnerability allows attackers to fraudulently complete bookings and obtain valid tickets without paying.
This can lead to financial losses for event organizers as payments are bypassed.
Additionally, it can cause operational issues such as overbooking and undermine trust in the event management system.