Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation

2026-07-07 16:30
Rafie Muhammad

Strategic Overview

Status
Unpatched
Affected PluginEventer
Affected Version<= 4.4.2
CVSS9.8Critical
CVECVE-2026-9701
View all Eventer vulnerabilities

Vulnerability Overview

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

Technical Analysis

REMEDIATION: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement. --- IDENTIFIER: CWE-289 (Authentication Bypass by Alternate Name) The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C