CVE-2026-40776

Vulnerability

The WP Event Solution plugin (Eventin) for WordPress, versions up to and including 4.1.8, contains a broken access control vulnerability due to missing authorization, authentication, or nonce token checks in certain functions. This allows unauthenticated users to execute actions that should require higher privileges. [1]

Exploitation

An attacker can exploit this vulnerability without any authentication or user interaction by sending crafted requests to the vulnerable endpoints. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously. [1]

Impact

Successful exploitation enables an unauthenticated attacker to perform higher privileged actions, potentially leading to unauthorized data access, modification, or other malicious activities. The exact impact depends on the specific functions affected, but it poses a significant risk to site integrity and confidentiality. [1]

Mitigation

The vulnerability is fixed in version 4.1.9 of the WP Event Solution plugin. Users are strongly advised to update immediately. If unable to update, a mitigation rule from Patchstack can block attacks until the update is applied. [1]