Cyber Posture

CVE-2026-41471

HighPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0016 36.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential…

more

WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions
addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

AC-3 Access Enforcement
addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

Security SummaryAI

CVE-2026-41471 is an information disclosure vulnerability in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The flaw exists in the QR code scanning endpoint, scan_qr.php, which exposes customer order records stored as sequential WordPress post IDs in the database. Published on 2026-05-04, it is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely by iterating over sequential post IDs via the scan_qr.php endpoint, enumerating and retrieving the complete set of all customer orders without requiring authentication or prior knowledge of specific identifiers. This enables bulk harvesting of sensitive order data from affected sites.

Advisories recommend mitigation by removing or disabling the plugin, as it was officially closed on 2026-03-18 with no patches available. Further details are provided in references including the VulnCheck advisory at https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint, the WordPress plugin page at https://wordpress.org/plugins/easy-paypal-events-tickets, and a technical gist at https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564.

Details

CWE(s)
CWE-639

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remote, unauthenticated information disclosure vulnerability in a public-facing WordPress plugin endpoint (scan_qr.php) that can be directly exploited by iterating sequential IDs, matching the definition of T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References