{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39535", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:16.732Z", "dateUpdated": "2026-04-29T09:52:02.221Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "widget-for-eventbrite-api", "product": "Display Eventbrite Events", "vendor": "fullworks", "versions": [{"changes": [{"at": "6.5.7", "status": "unaffected"}], "lessThanOrEqual": "6.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:00.613Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.</p>"}], "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.221Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:40:09.863816Z", "id": "CVE-2026-39535", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:38:02.108Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:40:09.863816Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:20:18.935Z"}}], "cna": {"title": "WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "fullworks", "product": "Display Eventbrite Events", "versions": [{"status": "affected", "changes": [{"at": "6.5.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "6.5.6"}], "packageName": "widget-for-eventbrite-api", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:29:00.613Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39535", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:38:02.108Z", "dateReserved": "2026-04-07T10:48:15.448Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:16.732Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6."}], "id": "CVE-2026-39535", "lastModified": "2026-04-29T10:17:27.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:26.213", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/widget-for-eventbrite-api/vulnerability/wordpress-display-eventbrite-events-plugin-6-5-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.5.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.5.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Display Eventbrite Events", "source": "cna", "vendor": "fullworks"}, "product": "display_eventbrite_events", "vendor": "fullworks"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:30:06.057296+00:00", "value": {"mitigation_remediation": ["Upgrade the Fullworks Display Eventbrite Events plugin to a version newer than 6.5.6.", "If an upgrade is not possible, deactivate the plugin until a patch is available.", "Audit WordPress user roles and remove unnecessary elevated privileges that could be abused through the plugin.", "Monitor site logs for unusual activity targeting the plugin\u2019s endpoints.", "Consider implementing a web application firewall rule to block suspicious requests to the plugin."], "summary": {"action": "Apply patch", "impact": "Unauthorized access"}, "threat_synthesis": {"affected_systems": "The Fullworks Display Eventbrite Events plugin for WordPress is affected on all releases up to and including version 6.5.6. WordPress sites that have this plugin installed and running the vulnerable version are at risk.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Fullworks Display Eventbrite Events widget-for-eventbrite-api plugin for WordPress. Because the plugin\u2019s access control safeguards are incorrectly configured, an attacker can perform operations reserved for privileged users without proper authorization. This can lead to unauthorized modification or retrieval of event data, compromising the integrity and confidentiality of the event listings that the plugin exposes.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS is below 1%, suggesting a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack surface is via HTTP endpoints provided by the plugin, and the exploit can be attempted by anyone who can reach the site. Successful exploitation would grant the attacker whatever privileges they have in the WordPress environment, allowing them to modify or view event data without authorization."}}}}, "created": "2026-04-08T19:30:25.327656+00:00", "updated": "2026-04-14T16:39:52.543538+00:00", "vendors": ["fullworks", "fullworks$PRODUCT$display_eventbrite_events", "wordpress", "wordpress$PRODUCT$wordpress"]}