Cyber Resilience

CVE-2026-32834

HighPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32834 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-32834 is a hardcoded authentication bypass vulnerability (CWE-798) in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The issue exists in the QR code scanning functionality, where attackers can bypass hash verification by supplying the hardcoded value 'test' as the hash parameter. Published on 2026-05-04 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), it enables high confidentiality impact without requiring privileges or user interaction.

Unauthenticated remote attackers can exploit the vulnerability by accessing the add_wpeevent_button_qr action endpoint. With a known or guessed post ID for any order, they can retrieve sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.

No patches are available, as the plugin was officially closed on 2026-03-18. Advisories, including those from VulnCheck, recommend removing or disabling the plugin on affected WordPress installations to mitigate exposure. Additional details are available at the referenced sources: https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9, https://wordpress.org/plugins/easy-paypal-events-tickets, and https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers…

more

can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded credential bypass (CWE-798) in public-facing WordPress plugin directly enables unauthenticated remote exploitation of the web application to retrieve sensitive order/ticket data via the exposed QR endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36911Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2025-56749Shared CWE-798
CVE-2025-1393Shared CWE-798
CVE-2024-55927Shared CWE-798

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on the add_wpeevent_button_qr endpoint so that supplying the hardcoded 'test' hash cannot bypass verification and expose order data.

prevent

Requires proper authenticator management that prohibits embedding static values such as 'test' for QR-code hash verification.

prevent

Mandates validation of the hash parameter so that an attacker-supplied literal value cannot be accepted as valid input.

References