CVE-2026-32834: WordPress Easy PayPal Plugin Authentication Bypass

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-798
CVE-2026-32834: WordPress Easy PayPal Plugin Authentication Bypass

The National Vulnerability Database reports a critical authentication bypass (CVE-2026-32834) in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. This vulnerability, rated with a CVSS score of 7.5 (HIGH), enables unauthenticated remote attackers to bypass hash verification in the QR code scanning functionality. Attackers can simply supply ‘test’ as the hash parameter to gain unauthorized access.

This flaw resides in the add_wpeevent_button_qr action, allowing attackers with a known or guessed post ID to retrieve sensitive order details. This includes PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information. The plugin was officially closed as of March 18, 2026, indicating its end-of-life and lack of further support, exacerbating the risk for any site still running it.

This is a classic example of a hardcoded bypass (CWE-798) — a fundamental security failure. For defenders, the implications are severe: direct exposure of sensitive customer data without any authentication. This isn’t theoretical; it’s a direct path to data exfiltration and potential fraud. The attacker’s calculus is simple: enumerate post IDs, inject ‘test’, and siphon data. It’s low effort, high reward.

What This Means For You

  • If your organization uses the Easy PayPal Events & Tickets plugin for WordPress, immediately check your version. If it's 1.3 or earlier, you are vulnerable. Remove this plugin NOW; it is no longer supported and poses an unacceptable risk to customer data. Audit your logs for any unauthorized access attempts to the `add_wpeevent_button_qr` endpoint.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Cloud Account Initial Access T1200 Hardware Additions Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-32834: WordPress Easy PayPal Plugin Authentication Bypass via QR Code Scan

Sigma YAML — free preview 
title: CVE-2026-32834: WordPress Easy PayPal Plugin Authentication Bypass via QR Code Scan
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
  Detects the specific authentication bypass vulnerability in the Easy PayPal Events & Tickets plugin for WordPress (CVE-2026-32834). Attackers exploit this by sending a request to the 'admin-ajax.php' endpoint with the 'action' parameter set to 'add_wpeevent_button_qr' and the 'hash' parameter set to 'test', bypassing hash verification to access sensitive order details.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-32834/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: 
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=add_wpeevent_button_qr'
      cs-uri-query|contains:
          - 'hash=test'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-32834 Auth Bypass Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier
CVE-2026-32834 Auth Bypass Hardcoded authentication bypass in QR code scanning functionality
CVE-2026-32834 Auth Bypass Bypass hash verification by supplying 'test' as the hash parameter
CVE-2026-32834 Information Disclosure Vulnerable endpoint: add_wpeevent_button_qr action
CVE-2026-32834 Information Disclosure Retrieves PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 04, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability

CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...

vulnerabilityCVEhigh-severitycwe-400cwe-789
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

Prometheus Azure AD OAuth Secret Exposed via Plaintext Config

CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...

vulnerabilityCVEhigh-severitycwe-200cwe-312
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7

CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...

vulnerabilityCVEhigh-severitycwe-1284
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs