CVE-2026-40776: WordPress Eventin plugin <= 4.1.8 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability in the Eventin (WP Event Solution) WordPress plugin at version 4.1.8 and earlier. The flaw is reachable over the network with no authentication required, meaning any unauthenticated remote user can trigger it. Successful exploitation exposes confidential data stored by the plugin, with no tampering or service disruption component. HarborGuard tracks this advisory for patch availability and will surface a patched-image rebuild the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-40776 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Eventin plugin at an affected version.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each customer org's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team within that org.
AvailableNo upstream fix has been published for CVE-2026-40776 as of the publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Arraytics ships a remediated version of the WP Event Solution plugin.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
- AuthenticationNot required
No account or session credential is needed; the access control bypass is exploitable by any anonymous, unauthenticated request.
- Victim interactionNot required
No victim action such as clicking a link or visiting a page is required; the attacker sends requests directly to the target.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental prerequisites.
Blast Radius
- An attacker reads data protected by the plugin's access controls, which may include event registrations, attendee records, or other plugin-managed content.
- No data modification is possible through this vulnerability; integrity of stored records is not affected.
- No denial-of-service or availability impact is associated with this vulnerability; the service continues running normally.
- Because no authentication is required, the exposed data is accessible to any external party who can reach the WordPress site.
How HarborGuard Handles This
Available on HarborGuard: images that include the WP Event Solution plugin at version 4.1.8 or earlier are flagged on every scan, including in CI pipeline checks and registry sweeps. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the Arraytics release feed on each ingest cycle. When a fixed version is published, a patched-image rebuild will become available immediately; customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads without manual intervention. In the meantime, compensating controls worth considering include placing the WordPress installation behind a WAF rule that restricts access to the vulnerable endpoints, applying network policy to limit which services can reach the WordPress host, and auditing what data the Eventin plugin stores to assess actual exposure.
- Arraytics / WP Event SOlution≤ 4.1.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N