CVE-2026-8608
Description
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Affected products
2<=2.1.0+ 1 more
- (no CPE)range: <=2.1.0
- (no CPE)range: <=2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `capture_payment()` AJAX handler trusts client-supplied payment details without server-side verification."
Attack vector
Unauthenticated attackers can send a crafted AJAX request to the `em_capture_payment` endpoint. This request can include forged transaction IDs, amounts, and payment statuses. Since the handler lacks nonce or capability checks, it will process this data as legitimate. The vulnerability is triggered by sending a POST request to the WordPress AJAX endpoint with the `action` parameter set to `em_capture_payment` and including parameters like `transaction_id`, `amount`, and `payment_status`.
Affected code
The vulnerability resides in the `capture_payment()` AJAX handler within the `Event_Monster_Ajax` class, specifically in the file `includes/class-event-monster-ajax.php`. This handler is registered via `wp_ajax_nopriv_em_capture_payment`, making it accessible to unauthenticated users.
What the fix does
The patch, as indicated by the reference to `includes/class-event-monster-ajax.php`, likely introduces server-side validation for payment details. This would involve checking the authenticity of the transaction ID against a payment gateway and verifying the amount and status before marking a booking as completed. Additionally, nonce and user capability checks should be implemented to ensure only authorized actions are processed.
Preconditions
- authThe attacker does not need to be authenticated.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.phpnvd
- plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.phpnvd
- plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/daddfbd2-cff4-4caa-bbdc-9945a635a1d6nvd
News mentions
0No linked articles in our index yet.