PT-2026-56314 · WordPress · Eventer

Rafie Muhammad

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-9701

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Eventer versions prior to 4.4.3
Description The plugin implements an insecure password reset mechanism. When a password reset is requested, a plaintext copy of the reset key is stored in the eventer verification code user meta field within the wp usermeta table. An attacker who obtains this plaintext key can use the plugin's custom reset action to change the password of any user account, including those with administrator privileges. This issue is particularly critical when combined with other flaws that allow the extraction of data from the database. The password reset function is only operational on PHP versions up to 7.4.
Recommendations Update the plugin to a version newer than 4.4.2. Restrict access to the eventer verification code user meta field to prevent unauthorized extraction of reset keys.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9701

Affected Products

Eventer