Search Results (24 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13039 2 Arraytics, Wordpress 2 Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered), Wordpress 2026-07-13 5.3 Medium
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash, granting themselves paid event access, QR-code attendee tickets, and order confirmation emails without making any real payment. The wp_rest nonce required to reach the vulnerable endpoint is embedded in every public event page, meaning no WordPress session or credentials are needed to obtain it. This vulnerability represents a regression — the same function and endpoint were previously patched but the fix did not persist through subsequent releases.
CVE-2026-12924 2 Arraytics, Wordpress 2 Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered), Wordpress 2026-07-10 6.4 Medium
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-11818 2 Arraytics, Wordpress 2 Wpcafe – Restaurant Menu, Online Food Ordering & Table Booking System, Wordpress 2026-07-10 5.4 Medium
The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The only protection on these endpoints is a wp_rest nonce check, which is obtainable by any logged-in user from the frontend page source.
CVE-2026-57674 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
CVE-2026-57621 2 Arraytics, Wordpress 2 Booktics, Wordpress 2026-07-02 9.8 Critical
Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.
CVE-2026-57622 2 Arraytics, Wordpress 2 Wpcafe, Wordpress 2026-06-26 4.3 Medium
Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.
CVE-2026-40776 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
CVE-2025-68045 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2026-39432 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-05-12 8.2 High
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53.
CVE-2026-39585 2 Arraytics, Wordpress 2 Booktics, Wordpress 2026-05-12 5.3 Medium
Missing Authorization vulnerability in Arraytics Booktics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booktics: from n/a through 1.0.16.
CVE-2026-27071 2 Arraytics, Wordpress 2 Wpcafe, Wordpress 2026-04-29 9.1 Critical
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7.
CVE-2025-67915 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-04-27 8.8 High
Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46.
CVE-2025-64268 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.44.
CVE-2025-30828 2 Arraytics, Wordpress 2 Timetics, Wordpress 2026-04-23 5.3 Medium
Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.29.
CVE-2026-1919 2 Arraytics, Wordpress 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress 2026-04-22 5.3 Medium
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.
CVE-2026-1920 2 Arraytics, Wordpress 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress 2026-04-22 5.3 Medium
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.
CVE-2026-4109 2 Arraytics, Wordpress 2 Eventin – Event Calendar, Event Registration, Tickets & Booking (ai Powered), Wordpress 2026-04-22 4.3 Medium
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
CVE-2025-14657 2 Arraytics, Wordpress 2 Eventin, Wordpress 2026-04-20 7.2 High
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
CVE-2025-5919 2 Arraytics, Wordpress 2 Appointment Booking Calendar, Wordpress 2026-04-20 6.5 Medium
The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.
CVE-2024-37427 1 Arraytics 1 Timetics 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through 1.0.21.