CVE-2026-32834
Published: 04 May 2026
Summary
CVE-2026-32834 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-32834 is a hardcoded authentication bypass vulnerability (CWE-798) in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The issue exists in the QR code scanning functionality, where attackers can bypass hash verification by supplying the hardcoded value 'test' as the hash parameter. Published on 2026-05-04 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), it enables high confidentiality impact without requiring privileges or user interaction.
Unauthenticated remote attackers can exploit the vulnerability by accessing the add_wpeevent_button_qr action endpoint. With a known or guessed post ID for any order, they can retrieve sensitive data, including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information.
No patches are available, as the plugin was officially closed on 2026-03-18. Advisories, including those from VulnCheck, recommend removing or disabling the plugin on affected WordPress installations to mitigate exposure. Additional details are available at the referenced sources: https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9, https://wordpress.org/plugins/easy-paypal-events-tickets, and https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27045
Vulnerability details
Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers…
more
can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credential bypass (CWE-798) in public-facing WordPress plugin directly enables unauthenticated remote exploitation of the web application to retrieve sensitive order/ticket data via the exposed QR endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on the add_wpeevent_button_qr endpoint so that supplying the hardcoded 'test' hash cannot bypass verification and expose order data.
Requires proper authenticator management that prohibits embedding static values such as 'test' for QR-code hash verification.
Mandates validation of the hash parameter so that an attacker-supplied literal value cannot be accepted as valid input.