Security Alert Summary
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress contains an improper capability check that can allow authenticated users with Subscriber-level access and above to read arbitrary order records. The issue can expose customer personally identifiable information (name, email, phone) by iterating order IDs.
CVE Details
- CVE ID: CVE-2026-4109
- Affected component: Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress
- Affected versions: All versions up to, and including, 4.1.8
- Published: April 14, 2026 at 9:16:36 AM
- Last modified: April 14, 2026 at 9:16:36 AM
- CVSS v3.1: Base Score 4.3, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Authentication / privileges / user interaction: Authenticated attacker required; privileges required: LOW (Subscriber-level and above); user interaction: NONE
- Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- Weakness: CWE-862 (Missing Authorization)
Technical Details
This vulnerability is caused by an improper capability check in the get_item_permissions_check() function. Because the function does not correctly verify whether the requesting user has permission to access specific order records, an authenticated user with Subscriber-level access or higher can iterate order IDs and retrieve order data. The retrieved data can include customer PII such as names, email addresses, and phone numbers. The issue is a missing or incorrect authorization check rather than a flaw in encryption or data storage.
How This Could Impact Your Website
In a realistic scenario, a site owner manages events and ticketing while internal staff (event managers) and external contractors (marketing or support contractors) have WordPress accounts with various roles. An authenticated external contributor or a Subscriber-level account could enumerate order IDs and access customer order details. Exposed customer PII increases the risk of targeted phishing or social engineering against customers and staff, and it could also reveal contact information used internally for notifications.
These impacts are aligned with the CVSS confidentiality impact rating of LOW and do not imply arbitrary code execution or complete site takeover. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and Subscriber-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and access logs for unusual behavior, such as enumeration of order IDs or unexpected REST API requests.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
