CVE-2026-9701
Received Received - Intake

Insecure Password Reset in Eventer WordPress Plugin

Vulnerability report for CVE-2026-9701, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Eventer plugin for WordPress has a vulnerability in its password reset mechanism in all versions up to 4.4.2. When a user requests a password reset, the plugin stores the reset key in plaintext in the user meta field called `eventer_verification_code`. This plaintext key can be used with the plugin's custom reset action to set a new password for any user.

If combined with another vulnerability like SQL Injection (CVE-2026-9700), an attacker who is not authenticated can extract this plaintext reset key and take over any user account, including administrator accounts.

Note that this password reset function vulnerability only applies to PHP versions up to 7.4.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to take over any user account on a WordPress site using the Eventer plugin, including administrator accounts.

By exploiting the insecure password reset mechanism and potentially combining it with an SQL Injection vulnerability, attackers can reset passwords without authorization, leading to full account compromise.

Such an account takeover can result in loss of control over the website, data breaches, unauthorized changes, and potential further exploitation.

Compliance Impact

This vulnerability involves the storage of plaintext password reset keys in the user meta field, which can be exploited to take over user accounts, including administrators. Such exposure of sensitive authentication data can lead to unauthorized access to personal and protected information.

Storing sensitive data like password reset keys in plaintext and the potential for unauthorized account takeover may violate data protection requirements under standards such as GDPR and HIPAA, which mandate appropriate safeguards to protect personal and health information.

Therefore, this vulnerability could negatively impact compliance with these regulations by failing to ensure confidentiality and integrity of user credentials and personal data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9701. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart