Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Unauthorized Access to Eventin Plugin Data
CVE-2026-4109
Summary
The Eventin plugin for WordPress has a security flaw that allows attackers with Subscriber-level access to read sensitive customer information, such as names, emails, and phone numbers, from event orders. This is a serious issue for businesses that use the plugin to manage events and customer data. To protect your customers, update the plugin to the latest version, 4.1.9 or higher, and ensure that users with Subscriber-level access do not have excessive permissions.
Original title
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item...
Original description
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026