CVE-2026-41471

HIGH 7.5

Easy PayPal Events & Tickets 1.3 Information Disclosure via QR Code Endpoint

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.

CWE	CWE-639
Vendor	scott paterson
Product	easy-paypal-events-tickets
Published	May 4, 2026
Last Updated	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for scott paterson easy-paypal-events-tickets

Be the first to know when new high vulnerabilities affecting scott paterson easy-paypal-events-tickets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Scott Paterson / easy-paypal-events-tickets

0 ≤ 1.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gist.github.com: https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 wordpress.org: https://wordpress.org/plugins/easy-paypal-events-tickets vulncheck.com: https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint

Credits

4lec4st