CVE-2026-41471: PayPal Events WordPress Plugin Exposes All Customer Orders
The National Vulnerability Database reports CVE-2026-41471, a high-severity information disclosure vulnerability (CVSS 7.5) in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. This flaw allows unauthenticated attackers to enumerate and retrieve all customer order records.
The vulnerability resides in the scan_qr.php endpoint. Attackers can iterate over sequential WordPress post IDs through this endpoint, effectively harvesting every order stored in the database without needing authentication or prior knowledge of specific order identifiers. This is a complete compromise of customer transaction data.
Critically, the National Vulnerability Database notes that this plugin was officially closed as of March 18, 2026. This means there will be no official patch. Organizations still running this plugin are operating with an unfixable, high-severity data exposure risk.
What This Means For You
- If your organization uses the Easy PayPal Events & Tickets WordPress plugin (versions 1.3 or earlier), you are actively exposing all customer order records. Since the plugin is deprecated and unpatched, the only viable mitigation is immediate uninstallation and migration to a secure, supported alternative. Audit your WordPress logs for any suspicious access attempts to `scan_qr.php`.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41471: PayPal Events WordPress Plugin Unauthenticated Order Enumeration
title: CVE-2026-41471: PayPal Events WordPress Plugin Unauthenticated Order Enumeration
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
Detects unauthenticated access to the scan_qr.php endpoint of the PayPal Events & Tickets WordPress plugin (versions 1.3 and earlier). Attackers can iterate through sequential post IDs to enumerate and retrieve all customer orders, exploiting CVE-2026-41471.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41471/
tags:
- attack.discovery
- attack.t1075
logsource:
category: webserver
detection:
selection:
cs-uri|endswith:
- '/wp-content/plugins/paypal-events-tickets/scan_qr.php'
cs-uri-query|contains:
- 'postid='
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41471 | Information Disclosure | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier |
| CVE-2026-41471 | Information Disclosure | Vulnerable endpoint: scan_qr.php |
| CVE-2026-41471 | Information Disclosure | Attack vector: Enumeration of WordPress post IDs to retrieve customer order records |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...