CVE-2026-8608
Deferred Deferred - Pending Action
Insufficient Payment Verification in Event Monster WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data β€” including transaction ID, amount, and payment status β€” without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-8608
EUVD
EUVD-2026-34931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
event_monster event_management_events_calendar_tickets to 2.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Event Monster plugin for WordPress, up to version 2.1.0, has a vulnerability where its capture_payment() AJAX handler trusts payment data sent by clients without verifying it on the server side.

This means that attackers can send forged payment information such as transaction ID, amount, and payment status without any checks against PayPal or other payment gateways, and without nonce or capability verification.

As a result, unauthenticated attackers can mark bookings as completed and receive confirmation emails with valid QR code tickets without actually making any payment.

Impact Analysis

This vulnerability allows attackers to fraudulently complete bookings and obtain valid tickets without paying.

This can lead to financial losses for event organizers as payments are bypassed.

Additionally, it can cause operational issues such as overbooking and undermine trust in the event management system.

Compliance Impact

The vulnerability allows unauthenticated attackers to forge payment records and obtain confirmation emails with valid QR code tickets without actual payment. This could lead to unauthorized access to services or events and potential misuse of personal data contained in confirmation emails.

Such unauthorized access and potential exposure or misuse of personal data may negatively impact compliance with data protection regulations like GDPR, which require protection of personal data and prevention of unauthorized access.

However, the provided information does not explicitly detail the impact on specific compliance standards such as HIPAA or others.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart