{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4109", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T10:40:12.586Z", "datePublished": "2026-04-14T07:43:03.588Z", "dateUpdated": "2026-04-14T13:00:42.566Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T07:43:03.588Z"}, "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Eventin \u2013 Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs."}], "title": "Eventin \u2013 Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3501510/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-02-24T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-13T10:55:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T18:46:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:00:31.579916Z", "id": "CVE-2026-4109", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:00:42.566Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:00:31.579916Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:00:39.021Z"}}], "cna": {"title": "Eventin \u2013 Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "arraytics", "product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-13T10:55:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T18:46:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3501510/"}], "descriptions": [{"lang": "en", "value": "The Eventin \u2013 Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T07:43:03.588Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4109", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:00:42.566Z", "dateReserved": "2026-03-13T10:40:12.586Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T07:43:03.588Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Eventin \u2013 Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs."}], "id": "CVE-2026-4109", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T09:16:36.460", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3501510/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered)", "source": "cna", "vendor": "arraytics"}, "product": "eventin_\u2013_event_calendar,_event_registration,_tickets_&_booking_(ai_powered)", "vendor": "arraytics"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T09:50:35.811122+00:00", "value": {"mitigation_remediation": ["Apply the latest Eventin plugin update (4.1.9 or newer).", "Verify that the installed plugin version is newer than 4.1.8.", "If an immediate update is not possible, restrict Subscriber and lower roles from accessing order APIs or adjust capabilities via a security plugin.", "Review stored order records for exposed PII and consider sanitization or data redaction.", "Monitor user logins and data access patterns for suspicious activity."], "summary": {"action": "Apply Update", "impact": "Information Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Eventin \u2013 Event Calendar, Event Registration, Tickets & Booking (AI Powered) from the vendor arraytics, for all versions up to 4.1.8 inclusive. Any WordPress site that has this plugin installed at those versions is susceptible to unauthorized disclosure of order data.", "description_and_impact": "The Eventin \u2013 Events Calendar plugin for WordPress has an improper capability check in the get_item_permissions_check() function in all releases up to and including 4.1.8. This flaw allows authenticated users with Subscriber-level access or higher to read arbitrary order data, exposing customer personally identifiable information such as name, email, and phone number. The weakness is categorized as Missing Authorization (CWE-862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity level. The EPSS score is not provided, and the issue is not listed in CISA's KEV catalog. Attackers must be authenticated as a Subscriber or higher role; based on the description, it is inferred that the attacker can iterate through order IDs to retrieve data, but no explicit statement confirms the complexity or time required. Since subscriber accounts are common, the risk of exploitation is considered moderate but still significant due to the potential exposure of sensitive customer information."}}}}, "created": "2026-04-14T16:15:50.315534+00:00", "updated": "2026-04-14T16:30:46.993729+00:00", "vendors": ["arraytics", "arraytics$PRODUCT$eventin_\u2013_event_calendar,_event_registration,_tickets_&_booking_(ai_powered)", "wordpress", "wordpress$PRODUCT$wordpress"]}