Cyber Resilience

CVE-2026-41471

HighPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41471 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-41471 is an information disclosure vulnerability in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The flaw exists in the QR code scanning endpoint, scan_qr.php, which exposes customer order records stored as sequential WordPress post IDs in the database. Published on 2026-05-04, it is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely by iterating over sequential post IDs via the scan_qr.php endpoint, enumerating and retrieving the complete set of all customer orders without requiring authentication or prior knowledge of specific identifiers. This enables bulk harvesting of sensitive order data from affected sites.

Advisories recommend mitigation by removing or disabling the plugin, as it was officially closed on 2026-03-18 with no patches available. Further details are provided in references including the VulnCheck advisory at https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint, the WordPress plugin page at https://wordpress.org/plugins/easy-paypal-events-tickets, and a technical gist at https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential…

more

WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote, unauthenticated information disclosure vulnerability in a public-facing WordPress plugin endpoint (scan_qr.php) that can be directly exploited by iterating sequential IDs, matching the definition of T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2026-5396Shared CWE-639
CVE-2017-20223Shared CWE-639

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the scan_qr.php endpoint so that sequential post-ID requests cannot retrieve order records without authentication.

prevent

Ensures the QR-code endpoint operates with least privilege, denying unauthenticated access to any customer order data by default.

prevent

Requires identification and authentication of non-organizational users before the endpoint is allowed to return any order records.

References