CVE-2026-41471
Published: 04 May 2026
Summary
CVE-2026-41471 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-41471 is an information disclosure vulnerability in the Easy PayPal Events & Tickets plugin for WordPress, affecting versions 1.3 and earlier. The flaw exists in the QR code scanning endpoint, scan_qr.php, which exposes customer order records stored as sequential WordPress post IDs in the database. Published on 2026-05-04, it is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely by iterating over sequential post IDs via the scan_qr.php endpoint, enumerating and retrieving the complete set of all customer orders without requiring authentication or prior knowledge of specific identifiers. This enables bulk harvesting of sensitive order data from affected sites.
Advisories recommend mitigation by removing or disabling the plugin, as it was officially closed on 2026-03-18 with no patches available. Further details are provided in references including the VulnCheck advisory at https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint, the WordPress plugin page at https://wordpress.org/plugins/easy-paypal-events-tickets, and a technical gist at https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27050
Vulnerability details
The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential…
more
WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote, unauthenticated information disclosure vulnerability in a public-facing WordPress plugin endpoint (scan_qr.php) that can be directly exploited by iterating sequential IDs, matching the definition of T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the scan_qr.php endpoint so that sequential post-ID requests cannot retrieve order records without authentication.
Ensures the QR-code endpoint operates with least privilege, denying unauthenticated access to any customer order data by default.
Requires identification and authentication of non-organizational users before the endpoint is allowed to return any order records.