CVE-2026-32834
Published: 04 May 2026
Description
Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter.…
more
Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.
Security SummaryAI
CVE-2026-32834 is a hardcoded authentication bypass vulnerability (CWE-798) in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The issue exists in the QR code scanning functionality, where attackers can bypass hash verification by supplying the hardcoded value 'test' as the hash parameter. Published on 2026-05-04 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), it enables high confidentiality impact without requiring privileges or user interaction.
Unauthenticated remote attackers can exploit the vulnerability by accessing the add_wpeevent_button_qr action endpoint. With a known or guessed post ID for any order, they can retrieve sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.
No patches are available, as the plugin was officially closed on 2026-03-18. Advisories, including those from VulnCheck, recommend removing or disabling the plugin on affected WordPress installations to mitigate exposure. Additional details are available at the referenced sources: https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9, https://wordpress.org/plugins/easy-paypal-events-tickets, and https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning.
Details
- CWE(s)