PT-2026-58093 · WordPress · Hi.Events

Adam Młynarczyk

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-60118

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Hi.Events versions prior to 1.11.0
Description Missing server-side visibility enforcement allows unauthenticated attackers to purchase hidden tickets. By referencing hidden product and price IDs in order creation requests, attackers can bypass authorization checks. This is possible by enumerating sequential hidden ticket IDs based on visible ones to acquire VIP, invite-only, or discounted tickets that were intentionally withheld from public sale.
Recommendations Update Hi.Events to version 1.11.0 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-60118
GHSA-2H54-CPRV-VJ74

Affected Products

Hi.Events