CVE-2026-4109

Name of the Vulnerable Software and Affected Versions Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) versions prior to 4.1.9

Description An improper capability check in the get item permissions check() function allows authenticated attackers with Subscriber-level access or higher to gain unauthorized access to data. By iterating order IDs, an attacker can read arbitrary order information, including customer personally identifiable information (PII) such as name, email, and phone number.

Recommendations Update to a version newer than 4.1.8.