CVE-2026-9701
joe007 · Eventer
The Eventer WordPress plugin stores password reset keys in plaintext, allowing unauthenticated attackers to hijack user accounts.
Executive summary
A critical authentication bypass vulnerability in the Eventer WordPress plugin allows unauthenticated attackers to hijack any user account, including administrators.
Vulnerability
The plugin insecurely stores plaintext password reset keys in the eventer_verification_code meta field. Unauthenticated attackers can leverage this, potentially in conjunction with other vulnerabilities like SQL injection, to retrieve these keys and reset passwords for arbitrary accounts.
Business impact
This vulnerability carries a CVSS score of 9.8, indicating maximum severity. Successful exploitation allows for complete account takeover, granting attackers administrative access to the WordPress instance. This leads to full site control, unauthorized data access, and the potential to inject malicious content into the site.
Remediation
Immediate Action: Update the Eventer plugin to the latest version immediately to ensure secure handling of password reset keys.
Proactive Monitoring: Monitor user metadata tables for suspicious entries in the eventer_verification_code field and audit successful password reset events.
Compensating Controls: Ensure the site is protected by a WAF and disable the password reset functionality if the plugin cannot be updated immediately.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Account takeover vulnerabilities are high-priority risks that must be addressed immediately. Administrators should update the Eventer plugin to the latest version, verify that no unauthorized accounts have been created or modified, and force a password reset for all administrative users.