CVE-2026-32834

HIGH 7.5

Easy PayPal Events & Tickets 1.3 Authentication Bypass via QR Code Scanning

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.

CWE	CWE-798
Vendor	scott paterson
Product	easy-paypal-events-tickets
Published	May 4, 2026
Last Updated	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for scott paterson easy-paypal-events-tickets

Be the first to know when new high vulnerabilities affecting scott paterson easy-paypal-events-tickets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Scott Paterson / easy-paypal-events-tickets

0 ≤ 1.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gist.github.com: https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9 wordpress.org: https://wordpress.org/plugins/easy-paypal-events-tickets vulncheck.com: https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning

Credits

4lec4st